users: move account deletion endpoint to /users/:id/deactivate.

Move the account deletion endpoint from /maintenance/users/deletion to either: * https://danbooru.donmai.us/users/deactivate * https://danbooru.donmai.us/users/:id/deactivate This incidentally allows the Owner-level user to deactivate accounts belonging to other users. This is meant for things like deactivating inactive accounts with invalid or abusive names. This is limited to accounts below Gold level for security.
2022-11-05 18:31:49 -05:00
parent 59872d2ed5
commit 3ffde5b23d
10 changed files with 163 additions and 112 deletions
--- a/app/controllers/maintenance/user/deletions_controller.rb
+++ b/app/controllers/maintenance/user/deletions_controller.rb
@@ -1,26 +0,0 @@
-# frozen_string_literal: true
-
-module Maintenance
-  module User
-    class DeletionsController < ApplicationController
-      respond_to :html, :json, :xml
-
-      def show
-      end
-
-      def destroy
-        deletion = UserDeletion.new(user: CurrentUser.user, deleter: CurrentUser.user, password: params.dig(:user, :password), request: request)
-        deletion.delete!
-
-        if deletion.errors.none?
-          session.delete(:user_id)
-          flash[:notice] = "Your account has been deactivated"
-          respond_with(deletion, location: posts_path)
-        else
-          flash[:notice] = deletion.errors.full_messages.join("; ")
-          redirect_to maintenance_user_deletion_path
-        end
-      end
-    end
-  end
-end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -114,6 +114,32 @@ class UsersController < ApplicationController
    end
  end

+  def deactivate
+    if params[:id].present?
+      @user = authorize User.find(params[:id])
+    else
+      @user = authorize CurrentUser.user
+    end
+
+    respond_with(@user)
+  end
+
+  def destroy
+    @user = authorize User.find(params[:id])
+
+    user_deletion = UserDeletion.new(user: @user, deleter: CurrentUser.user, password: params.dig(:user, :password), request: request)
+    user_deletion.delete!
+
+    if user_deletion.errors.none?
+      session.delete(:user_id)
+      flash[:notice] = "Your account has been deactivated"
+      respond_with(user_deletion, location: posts_path)
+    else
+      flash[:notice] = user_deletion.errors.full_messages.join("; ")
+      redirect_to deactivate_user_path(@user)
+    end
+  end
+
  def custom_style
    @custom_css = CurrentUser.user.custom_css
    expires_in 10.years
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -13,6 +13,14 @@ class UserPolicy < ApplicationPolicy
    record.id == user.id || user.is_admin?
  end

+  def deactivate?
+    (record.id == user.id && !user.is_anonymous?) || user.is_owner?
+  end
+
+  def destroy?
+    deactivate?
+  end
+
  def promote?
    user.is_moderator?
  end
--- a/app/views/maintenance/user/deletions/show.html.erb
+++ b/app/views/maintenance/user/deletions/show.html.erb
@@ -1,40 +0,0 @@
-<% page_title "Deactivate Account" %>
-
-<div id="c-maintenance-user-deletions">
-  <div id="a-show" class="prose">
-    <h1>Deactivate Account</h1>
-
-    <p>
-      You can deactivate your <%= Danbooru.config.app_name %> account using
-      the form below. Deactivating your account will do the following things:
-    </p>
-
-    <ul>
-      <li>Change your name to a generic name</li>
-      <li>Delete your favorites</li>
-      <li>Delete your saved searches</li>
-      <li>Delete your password and email address</li>
-      <li>Delete your account settings</li>
-    </ul>
-
-    <p>
-      The following things will <strong>not</strong> be deleted:
-    </p>
-
-    <ul>
-      <li>Posts you've uploaded</li>
-      <li>Comments, forum posts, and private messages</li>
-      <li>Tag edits, wiki edits, translation notes, or any other contributions to the site</li>
-    </ul>
-
-    <p>
-      Enter your password below to deactivate your account. This cannot be
-      undone. Your account cannot be recovered after it is deactivated.
-    </p>
-
-    <%= edit_form_for(:user, url: maintenance_user_deletion_path, method: :delete) do |f| %>
-      <%= f.input :password %>
-      <%= f.submit "Deactivate account", "data-confirm": "Are you sure you want to deactivate your account? This cannot be undone" %>
-    <% end %>
-  </div>
-</div>
--- a/app/views/static/privacy_policy.html.erb
+++ b/app/views/static/privacy_policy.html.erb
@@ -353,8 +353,8 @@
    <p><em>Summary: You may deactivate your account, but we may
    retain your IP address and your public contributions to the Site.</em></p>

-    <p>If you would like to delete your account, you may request your
-    account to be deactivated <%= link_to "here", maintenance_user_deletion_path %>.</p>
+    <p>If you wish to to close your <%= @app_name %> account, you may deactivate your account
+    <%= link_to "here", deactivate_users_path %>.</p>

    <p>When your account is deactivated, we will delete your non-public personal
    information from our active systems, including your email address,
--- a/app/views/users/deactivate.html.erb
+++ b/app/views/users/deactivate.html.erb
@@ -0,0 +1,47 @@
+<% page_title "Deactivate Account" %>
+<%= render "secondary_links" %>
+
+<div id="c-users">
+  <div id="a-deactivate">
+    <% if @user == CurrentUser.user %>
+      <h1>Deactivate Account</h1>
+    <% else %>
+      <h1>Deactivate Account: <%= link_to_user @user %></h1>
+    <% end %>
+
+    <div class="prose mb-4">
+      <p>
+        You can deactivate your <%= Danbooru.config.app_name %> account by entering your password below. Deactivating
+        your account will do the following things:
+      </p>
+
+      <ul>
+        <li>Change your username to a generic username (<i>user_<%= @user.id %></i>).</li>
+        <li>Delete your password, email address, and account settings.</li>
+        <li>Delete your favorites.</li>
+        <li>Delete your saved searches.</li>
+      </ul>
+
+      <p>
+        The following things will <strong>not</strong> be deleted:
+      </p>
+
+      <ul>
+        <li>Posts you've uploaded.</li>
+        <li>Your comments, forum posts, and private messages.</li>
+        <li>Your tag edits, wiki edits, translation notes, and any other contributions you've made to the site.</li>
+        <li>Your login history, including your IP address and geographic location. This is kept for moderation purposes.</li>
+      </ul>
+
+      <p>
+        Enter your password below to deactivate your account. This cannot be
+        undone. Your account cannot be recovered after it is deactivated.
+      </p>
+    </div>
+
+    <%= edit_form_for(:user, url: user_path(@user), method: :delete) do |f| %>
+      <%= f.input :password %>
+      <%= f.submit "Deactivate account", "data-confirm": "Are you sure you want to deactivate your account? This cannot be undone" %>
+    <% end %>
+  </div>
+</div>
--- a/app/views/users/edit.html.erb
+++ b/app/views/users/edit.html.erb
@@ -53,7 +53,7 @@
        <div class="input">
          <label>Account</label>
          <p>
-            <%= link_to "Deactivate account", maintenance_user_deletion_path, id: "delete-account" %>
+            <%= link_to "Deactivate account", deactivate_user_path(@user), id: "delete-account" %>
            (<em>requires confirmation</em>)
          </p>
        </div>