users: move account deletion endpoint to /users/:id/deactivate.

Move the account deletion endpoint from /maintenance/users/deletion to either: * https://danbooru.donmai.us/users/deactivate * https://danbooru.donmai.us/users/:id/deactivate This incidentally allows the Owner-level user to deactivate accounts belonging to other users. This is meant for things like deactivating inactive accounts with invalid or abusive names. This is limited to accounts below Gold level for security.
2022-11-05 18:31:49 -05:00
parent 59872d2ed5
commit 3ffde5b23d
10 changed files with 163 additions and 112 deletions
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -102,6 +102,82 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
      end
    end

+    context "#deactivate action" do
+      should "render /users/:id/deactivate for the current user" do
+        get_auth deactivate_user_path(@user), @user
+        assert_response :success
+      end
+
+      should "render /users/:id/deactivate for the Owner user" do
+        get_auth deactivate_user_path(@user), create(:owner)
+        assert_response :success
+      end
+
+      should "not render /users/:id/deactivate for a different user" do
+        get_auth deactivate_user_path(@user), create(:user)
+        assert_response 403
+      end
+
+      should "render /users/deactivate for a logged-in user" do
+        get_auth deactivate_users_path, @user
+        assert_response :success
+      end
+
+      should "not render /users/deactivate for a logged-out user" do
+        get deactivate_users_path
+        assert_response 403
+      end
+
+      should "redirect /maintenance/user/deletion to /users/deactivate" do
+        get "/maintenance/user/deletion"
+        assert_redirected_to deactivate_users_path
+      end
+    end
+
+    context "#destroy action" do
+      should "delete the user when given the correct password" do
+        delete_auth user_path(@user), @user, params: { user: { password: "password" }}
+
+        assert_redirected_to posts_path
+        assert_equal(true, @user.reload.is_deleted?)
+        assert_equal("Your account has been deactivated", flash[:notice])
+        assert_nil(session[:user_id])
+        assert_equal(true, @user.user_events.user_deletion.exists?)
+      end
+
+      should "not delete the user when given an incorrect password" do
+        delete_auth user_path(@user), @user, params: { user: { password: "hunter2" }}
+
+        assert_redirected_to deactivate_user_path(@user)
+        assert_equal(false, @user.reload.is_deleted?)
+        assert_equal("Password is incorrect", flash[:notice])
+        assert_equal(@user.id, session[:user_id])
+        assert_equal(false, @user.user_events.user_deletion.exists?)
+      end
+
+      should "allow the Owner to delete other users" do
+        delete_auth user_path(@user), create(:owner)
+
+        assert_redirected_to posts_path
+        assert_equal(true, @user.reload.is_deleted?)
+        assert_equal("Your account has been deactivated", flash[:notice])
+        assert_nil(session[:user_id])
+        assert_equal(true, @user.user_events.user_deletion.exists?)
+      end
+
+      should "not allow users to delete other users" do
+        delete_auth user_path(@user), create(:user), params: { user: { password: "password" }}
+
+        assert_response 403
+      end
+
+      should "not allow logged-out users to delete other users" do
+        delete user_path(@user), params: { user: { password: "password" }}
+
+        assert_response 403
+      end
+    end
+
    context "custom_style action" do
      should "work" do
        @user.update!(custom_style: "span { color: red; }")