users: move account deletion endpoint to /users/:id/deactivate.

Move the account deletion endpoint from /maintenance/users/deletion to either: * https://danbooru.donmai.us/users/deactivate * https://danbooru.donmai.us/users/:id/deactivate This incidentally allows the Owner-level user to deactivate accounts belonging to other users. This is meant for things like deactivating inactive accounts with invalid or abusive names. This is limited to accounts below Gold level for security.
2022-11-05 18:31:49 -05:00
parent 59872d2ed5
commit 3ffde5b23d
10 changed files with 163 additions and 112 deletions
--- a/app/controllers/maintenance/user/deletions_controller.rb
+++ b/app/controllers/maintenance/user/deletions_controller.rb
@@ -1,26 +0,0 @@
-# frozen_string_literal: true
-
-module Maintenance
-  module User
-    class DeletionsController < ApplicationController
-      respond_to :html, :json, :xml
-
-      def show
-      end
-
-      def destroy
-        deletion = UserDeletion.new(user: CurrentUser.user, deleter: CurrentUser.user, password: params.dig(:user, :password), request: request)
-        deletion.delete!
-
-        if deletion.errors.none?
-          session.delete(:user_id)
-          flash[:notice] = "Your account has been deactivated"
-          respond_with(deletion, location: posts_path)
-        else
-          flash[:notice] = deletion.errors.full_messages.join("; ")
-          redirect_to maintenance_user_deletion_path
-        end
-      end
-    end
-  end
-end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -114,6 +114,32 @@ class UsersController < ApplicationController
    end
  end

+  def deactivate
+    if params[:id].present?
+      @user = authorize User.find(params[:id])
+    else
+      @user = authorize CurrentUser.user
+    end
+
+    respond_with(@user)
+  end
+
+  def destroy
+    @user = authorize User.find(params[:id])
+
+    user_deletion = UserDeletion.new(user: @user, deleter: CurrentUser.user, password: params.dig(:user, :password), request: request)
+    user_deletion.delete!
+
+    if user_deletion.errors.none?
+      session.delete(:user_id)
+      flash[:notice] = "Your account has been deactivated"
+      respond_with(user_deletion, location: posts_path)
+    else
+      flash[:notice] = user_deletion.errors.full_messages.join("; ")
+      redirect_to deactivate_user_path(@user)
+    end
+  end
+
  def custom_style
    @custom_css = CurrentUser.user.custom_css
    expires_in 10.years