Allow admin to delete any user (except admins)

2021-08-04 21:50:35 +01:00 · 2021-08-04 21:50:35 +01:00 · 562b0ceffe
parent 6bbe2307e9
commit 562b0ceffe
4 changed files with 21 additions and 4 deletions
--- a/app/blueprints/users/settings.py
+++ b/app/blueprints/users/settings.py
@ -270,13 +270,18 @@ def delete(username):
 	if request.method == "GET":
 		return render_template("users/delete.html", user=user, can_delete=user.can_delete())

-	if user.can_delete():
+	if "delete" in request.form and (user.can_delete() or current_user.rank.atLeast(UserRank.ADMIN)):
 		msg = "Deleted user {}".format(user.username)
 		flash(msg, "success")
 		addAuditLog(AuditSeverity.MODERATION, current_user, msg, None)

+		if current_user.rank.atLeast(UserRank.ADMIN):
+			for pkg in user.packages.all():
+				pkg.review_thread = None
+				db.session.delete(pkg)
+
 		db.session.delete(user)
-	else:
+	elif "deactivate" in request.form:
 		user.replies.delete()
 		for thread in user.threads.all():
 			db.session.delete(thread)
@ -286,6 +291,8 @@ def delete(username):
 		msg = "Deactivated user {}".format(user.username)
 		flash(msg, "success")
 		addAuditLog(AuditSeverity.MODERATION, current_user, msg, None)
+	else:
+		assert False

 	db.session.commit()

--- a/app/models/init.py
+++ b/app/models/init.py
@ -115,7 +115,7 @@ class ForumTopic(db.Model):
 	topic_id  = db.Column(db.Integer, primary_key=True, autoincrement=False)

 	author_id = db.Column(db.Integer, db.ForeignKey("user.id"), nullable=False)
-	author    = db.relationship("User")
+	author    = db.relationship("User", back_populates="forum_topics")

 	wip       = db.Column(db.Boolean, server_default="0")
 	discarded = db.Column(db.Boolean, server_default="0")
--- a/app/models/users.py
+++ b/app/models/users.py
@ -174,6 +174,7 @@ class User(db.Model, UserMixin):
 	tokens        = db.relationship("APIToken", back_populates="owner", lazy="dynamic", cascade="all, delete, delete-orphan")
 	threads       = db.relationship("Thread", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
 	replies       = db.relationship("ThreadReply", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
+	forum_topics  = db.relationship("ForumTopic", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")

 	def __init__(self, username=None, active=False, email=None, password=None):
 		self.username = username
--- a/app/templates/users/delete.html
+++ b/app/templates/users/delete.html
@ -27,7 +27,16 @@
 			{% endif %}

 			<a class="btn btn-secondary mr-3" href="{{ url_for('users.account', username=user.username) }}">Cancel</a>
-			<input type="submit" value="{% if can_delete %}Delete{% else %}Deactivate{% endif %}" class="btn btn-danger" />
+			<input type="submit"
+				{% if can_delete %}
+					name="delete" value="Delete"
+				{% else %}
+					name="deactivate" value="Deactivate"
+				{% endif %}
+				class="btn btn-danger" />
+			{% if not can_delete and current_user.rank.atLeast(current_user.rank.ADMIN) %}
+				<input type="submit" name="delete" value="Delete Anyway" class="btn btn-danger ml-3" />
+			{% endif %}
 		</div>
 	</form>
 {% endblock %}