BUG: Unable to remove user with existing second factor

[Benjamin-K]

Current behaviour

If you try to remove a user that has a second factor enabled, you will see a 500 Internal Server Error. This is due to the existing second factor:

<!-- Part of the logged Exception -->
Exception in line 182 of .../Packages/Libraries/doctrine/dbal/lib/Doctrine/DBAL/DBALException.php: An exception occurred while executing 'DELETE FROM neos_flow_security_account WHERE persistence_object_identifier = ?' with params ["46c79952-b120-4353-afcb-20179e4420f5"]:

SQLSTATE[23000]: Integrity constraint violation: 1451 Cannot delete or update a parent row: a foreign key constraint fails (`neos_database`.`sandstorm_neostwofactorauthentication_domain_model_secondfactor`, CONSTRAINT `FK_29EF8A7F7D3656A4` FOREIGN KEY (`account`) REFERENCES `neos_flow_security_account` (`persistence_ob)

This is especially a problem in cases where the second factor is enforced and can not be removed.

Expected behaviour

When removing a user with existing second factor(s), all second factors will be removed first. Then the user will be removed. So in the end, no warning or additional work for the administrator / user manager.

Steps to reproduce

1. Enforce Two-Factor Authentication (optional).
2. Create a new user.
3. Log in as that user and create a second factor.
4. Log out and re-login as Administrator / UserManager.
5. Try to remove the user with a second factor.

Environment

• Flow: 8.3.3
• Neos: 8.3.4
• Sandstorm/NeosTwoFactorAuthentication: 1.1.2
• PHP: 8.1.20

[Benjamin-K]

I think we need to do AOP on Neos\Neos\Domain\Service\UserService::deleteUser(User $user) for this.