From 562b0ceffee5c4dc9fc728dee2eb00d9b8a824ff Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Wed, 4 Aug 2021 21:50:35 +0100
Subject: [PATCH] Allow admin to delete any user (except admins)

---
 app/blueprints/users/settings.py | 11 +++++++++--
 app/models/__init__.py           |  2 +-
 app/models/users.py              |  1 +
 app/templates/users/delete.html  | 11 ++++++++++-
 4 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/app/blueprints/users/settings.py b/app/blueprints/users/settings.py
index e89f773..6e9bc87 100644
--- a/app/blueprints/users/settings.py
+++ b/app/blueprints/users/settings.py
@@ -270,13 +270,18 @@ def delete(username):
 	if request.method == "GET":
 		return render_template("users/delete.html", user=user, can_delete=user.can_delete())
 
-	if user.can_delete():
+	if "delete" in request.form and (user.can_delete() or current_user.rank.atLeast(UserRank.ADMIN)):
 		msg = "Deleted user {}".format(user.username)
 		flash(msg, "success")
 		addAuditLog(AuditSeverity.MODERATION, current_user, msg, None)
 
+		if current_user.rank.atLeast(UserRank.ADMIN):
+			for pkg in user.packages.all():
+				pkg.review_thread = None
+				db.session.delete(pkg)
+
 		db.session.delete(user)
-	else:
+	elif "deactivate" in request.form:
 		user.replies.delete()
 		for thread in user.threads.all():
 			db.session.delete(thread)
@@ -286,6 +291,8 @@ def delete(username):
 		msg = "Deactivated user {}".format(user.username)
 		flash(msg, "success")
 		addAuditLog(AuditSeverity.MODERATION, current_user, msg, None)
+	else:
+		assert False
 
 	db.session.commit()
 
diff --git a/app/models/__init__.py b/app/models/__init__.py
index 49a4f0b..3128a38 100644
--- a/app/models/__init__.py
+++ b/app/models/__init__.py
@@ -115,7 +115,7 @@ class ForumTopic(db.Model):
 	topic_id  = db.Column(db.Integer, primary_key=True, autoincrement=False)
 
 	author_id = db.Column(db.Integer, db.ForeignKey("user.id"), nullable=False)
-	author    = db.relationship("User")
+	author    = db.relationship("User", back_populates="forum_topics")
 
 	wip       = db.Column(db.Boolean, server_default="0")
 	discarded = db.Column(db.Boolean, server_default="0")
diff --git a/app/models/users.py b/app/models/users.py
index cf017a4..b12b791 100644
--- a/app/models/users.py
+++ b/app/models/users.py
@@ -174,6 +174,7 @@ class User(db.Model, UserMixin):
 	tokens        = db.relationship("APIToken", back_populates="owner", lazy="dynamic", cascade="all, delete, delete-orphan")
 	threads       = db.relationship("Thread", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
 	replies       = db.relationship("ThreadReply", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
+	forum_topics  = db.relationship("ForumTopic", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
 
 	def __init__(self, username=None, active=False, email=None, password=None):
 		self.username = username
diff --git a/app/templates/users/delete.html b/app/templates/users/delete.html
index ed3a43a..2ff5031 100644
--- a/app/templates/users/delete.html
+++ b/app/templates/users/delete.html
@@ -27,7 +27,16 @@
 			{% endif %}
 
 			<a class="btn btn-secondary mr-3" href="{{ url_for('users.account', username=user.username) }}">Cancel</a>
-			<input type="submit" value="{% if can_delete %}Delete{% else %}Deactivate{% endif %}" class="btn btn-danger" />
+			<input type="submit"
+				{% if can_delete %}
+					name="delete" value="Delete"
+				{% else %}
+					name="deactivate" value="Deactivate"
+				{% endif %}
+				class="btn btn-danger" />
+			{% if not can_delete and current_user.rank.atLeast(current_user.rank.ADMIN) %}
+				<input type="submit" name="delete" value="Delete Anyway" class="btn btn-danger ml-3" />
+			{% endif %}
 		</div>
 	</form>
 {% endblock %}