Add bulk ActivityPub capability removal confirmation (#2150)

pfefferle · obenland · web-flow · commit 010689beb7a6 · 2025-09-11T17:14:30.000+02:00
Co-authored-by: Konstantin Obenland &lt;obenland@gmx.de&gt;
diff --git a/.github/changelog/2150-from-description b/.github/changelog/2150-from-description
@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Added confirmation step for bulk removal of ActivityPub capability, asking whether to also delete users from the Fediverse.
diff --git a/includes/scheduler/class-actor.php b/includes/scheduler/class-actor.php
@@ -174,11 +174,6 @@ public static function sticky_post_update( $post_id ) {
 	 * @param int $user_id The user ID being deleted.
 	 */
 	public static function schedule_user_delete( $user_id ) {
-		// Don't bother if the user can't publish ActivityPub content.
-		if ( ! \user_can( $user_id, 'activitypub' ) ) {
-			return;
-		}
-
 		// Get the actor before deletion to ensure we have the data.
 		$actor = Actors::get_by_id( $user_id );
 		if ( \is_wp_error( $actor ) ) {
diff --git a/includes/wp-admin/class-admin.php b/includes/wp-admin/class-admin.php
@@ -12,6 +12,7 @@
 use Activitypub\Comment;
 use Activitypub\Model\Blog;
 use Activitypub\Moderation;
+use Activitypub\Scheduler\Actor;
 
 use function Activitypub\count_followers;
 use function Activitypub\get_content_visibility;
@@ -52,6 +53,9 @@ public static function init() {
 		\add_filter( 'bulk_actions-users', array( self::class, 'user_bulk_options' ) );
 		\add_filter( 'handle_bulk_actions-users', array( self::class, 'handle_bulk_request' ), 10, 3 );
 
+		\add_action( 'admin_post_delete_actor_confirmed', array( self::class, 'handle_bulk_actor_delete_confirmation' ) );
+		\add_action( 'admin_action_activitypub_confirm_removal', array( self::class, 'handle_bulk_actor_delete_page' ) );
+
 		if ( user_can_activitypub( \get_current_user_id() ) ) {
 			\add_action( 'show_user_profile', array( self::class, 'add_profile' ) );
 		}
@@ -582,7 +586,8 @@ public static function user_bulk_options( $actions ) {
 	 * Handle bulk activitypub requests.
 	 *
 	 * * `add_activitypub_cap` - Add the activitypub capability to the selected users.
-	 * * `remove_activitypub_cap` - Remove the activitypub capability from the selected users.
+	 * * `remove_activitypub_cap` - Remove the activitypub capability from the selected users (redirects to confirmation page).
+	 * * `delete_actor_confirmed` - Actually remove the capability after confirmation.
 	 *
 	 * @param string $send_back The URL to send the user back to.
 	 * @param string $action    The requested action.
@@ -591,20 +596,172 @@ public static function user_bulk_options( $actions ) {
 	 * @return string The URL to send the user back to.
 	 */
 	public static function handle_bulk_request( $send_back, $action, $users ) {
-		if (
-			'remove_activitypub_cap' !== $action &&
-			'add_activitypub_cap' !== $action
-		) {
-			return $send_back;
+		switch ( $action ) {
+			case 'add_activitypub_cap':
+				foreach ( $users as $user_id ) {
+					$user = new \WP_User( $user_id );
+					$user->add_cap( 'activitypub' );
+				}
+				return $send_back;
+			case 'remove_activitypub_cap':
+				$removed_count = 0;
+
+				// Remove capabilities immediately.
+				foreach ( $users as $key => $user_id ) {
+					$user = new \WP_User( $user_id );
+
+					// Check if user has ActivityPub capability.
+					if ( ! $user->has_cap( 'activitypub' ) ) {
+						unset( $users[ $key ] );
+						continue;
+					}
+
+					// Remove the capability.
+					$user->remove_cap( 'activitypub' );
+
+					// Force cache refresh for user capabilities.
+					\wp_cache_delete( $user_id, 'users' );
+					\wp_cache_delete( $user_id, 'user_meta' );
+
+					++$removed_count;
+				}
+
+				// Build the query args with proper array handling for fediverse deletion confirmation.
+				$query_args = array(
+					'action'    => 'activitypub_confirm_removal',
+					'send_back' => \rawurlencode( $send_back ),
+				);
+
+				// Add user IDs as separate parameters.
+				foreach ( $users as $index => $user_id ) {
+					$query_args[ sprintf( 'users[%d]', $index ) ] = absint( $user_id );
+				}
+
+				$confirmation_url = \add_query_arg( $query_args, \admin_url( 'users.php' ) );
+
+				// Force redirect instead of just returning URL.
+				\wp_safe_redirect( $confirmation_url );
+				exit;
+			case 'delete_actor_confirmed':
+				// Use unified method with no fediverse deletion (keep).
+				return self::process_capability_removal( $users, 'keep', $send_back );
+			default:
+				return $send_back;
 		}
+	}
 
-		foreach ( $users as $user_id ) {
-			$user = new \WP_User( $user_id );
-			if ( 'add_activitypub_cap' === $action ) {
-				$user->add_cap( 'activitypub' );
-			} elseif ( 'remove_activitypub_cap' === $action ) {
-				$user->remove_cap( 'activitypub' );
-			}
+	/**
+	 * Handle the bulk capability removal page request directly.
+	 */
+	public static function handle_bulk_actor_delete_page() {
+
+		// Check permissions.
+		if ( ! \current_user_can( 'edit_users' ) ) {
+			\wp_die( \esc_html__( 'You do not have sufficient permissions to access this page.', 'activitypub' ) );
+		}
+
+		// Get parameters.
+		// phpcs:ignore WordPress.Security.NonceVerification, WordPress.Security.ValidatedSanitizedInput
+		$users = \wp_unslash( $_GET['users'] ?? array() );
+		// phpcs:ignore WordPress.Security.NonceVerification
+		$send_back = \urldecode( \sanitize_text_field( \wp_unslash( $_GET['send_back'] ?? '' ) ) );
+
+		// Sanitize user IDs.
+		$users = \array_map( 'absint', (array) $users );
+		$users = \array_filter( $users );
+
+		// Validate send_back URL.
+		if ( empty( $send_back ) ) {
+			$send_back = \admin_url( 'users.php' );
+		}
+
+		// Load template and exit to prevent WordPress from trying to load other admin pages.
+		\load_template(
+			ACTIVITYPUB_PLUGIN_DIR . 'templates/bulk-actor-delete-confirmation.php',
+			false,
+			array(
+				'users'     => $users,
+				'send_back' => $send_back,
+			)
+		);
+		exit;
+	}
+
+
+	/**
+	 * Handle the bulk capability removal confirmation form submission.
+	 */
+	public static function handle_bulk_actor_delete_confirmation() {
+		// Verify nonce.
+		if ( ! \wp_verify_nonce( \sanitize_text_field( \wp_unslash( $_POST['_wpnonce'] ?? '' ) ), 'bulk-users' ) ) {
+			\wp_die( \esc_html__( 'Security check failed.', 'activitypub' ) );
+		}
+
+		// Check permissions.
+		if ( ! \current_user_can( 'edit_users' ) ) {
+			\wp_die( \esc_html__( 'You do not have sufficient permissions to perform this action.', 'activitypub' ) );
+		}
+
+		// Get form data.
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+		$selected_users = \wp_unslash( $_POST['selected_users'] ?? array() );
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput
+		$remove_from_fediverse = \wp_unslash( $_POST['remove_from_fediverse'] ?? array() );
+		$send_back             = \esc_url_raw( \wp_unslash( $_POST['send_back'] ?? '' ) );
+
+		// Sanitize user IDs.
+		$selected_users = \array_map( 'absint', (array) $selected_users );
+		$selected_users = \array_filter( $selected_users );
+
+		if ( empty( $selected_users ) ) {
+			\wp_safe_redirect( $send_back );
+			exit;
+		}
+
+		// Process capability removal using unified method.
+		$result = self::process_capability_removal( $selected_users, $remove_from_fediverse, $send_back );
+
+		// Redirect back.
+		\wp_safe_redirect( $result );
+		exit;
+	}
+
+
+	/**
+	 * Process fediverse deletion for users (capabilities already removed).
+	 *
+	 * @param array        $users                  Array of user IDs.
+	 * @param array|string $remove_from_fediverse  Array of user IDs to delete from fediverse, or 'delete'/'keep' for all users.
+	 * @param string       $send_back              URL to redirect back to.
+	 *
+	 * @return string The URL to redirect to.
+	 */
+	public static function process_capability_removal( $users, $remove_from_fediverse, $send_back ) {
+		// Normalize fediverse removal parameter.
+		if ( is_string( $remove_from_fediverse ) ) {
+			// Legacy format: 'delete' or 'keep' for all users.
+			$delete_all      = ( 'delete' === $remove_from_fediverse );
+			$users_to_delete = $delete_all ? $users : array();
+		} else {
+			// New format: array of specific user IDs to delete from fediverse.
+			$remove_from_fediverse = \array_map( 'absint', (array) $remove_from_fediverse );
+			$users_to_delete       = \array_filter( $remove_from_fediverse );
+		}
+
+		// Schedule delete activities for users who should be removed from fediverse.
+		if ( ! empty( $users_to_delete ) ) {
+			// Temporarily bypass capability checks for delete activity scheduling since capabilities were already removed.
+			\add_filter( 'activitypub_user_can_activitypub', '__return_true' );
+
+			\array_map(
+				array(
+					Actor::class,
+					'schedule_user_delete',
+				),
+				$users_to_delete
+			);
+
+			\remove_filter( 'activitypub_user_can_activitypub', '__return_true' );
 		}
 
 		return $send_back;
diff --git a/templates/bulk-actor-delete-confirmation.php b/templates/bulk-actor-delete-confirmation.php
@@ -0,0 +1,62 @@
+<?php
+/**
+ * Bulk ActivityPub actor deletion confirmation template.
+ *
+ * @package Activitypub
+ */
+
+/* @var array $args Template arguments. */
+$args = wp_parse_args( $args ?? array() );
+
+$users     = $args['users'] ?? array();
+$send_back = $args['send_back'] ?? '';
+
+// Validate users.
+if ( empty( $users ) ) {
+	wp_die( esc_html__( 'No users selected.', 'activitypub' ), '', array( 'back_link' => true ) );
+}
+
+// Prepare user data for display.
+$users = get_users( array( 'include' => $users ) );
+
+// If no users with ActivityPub capability, redirect back.
+if ( ! $users ) {
+	wp_safe_redirect( $send_back );
+	exit;
+}
+
+$GLOBALS['plugin_page'] = ''; // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
+require_once ABSPATH . 'wp-admin/admin-header.php';
+?>
+<div class="wrap">
+	<h1><?php esc_html_e( 'Delete Users from Fediverse', 'activitypub' ); ?></h1>
+	<p><?php esc_html_e( 'You&#8217;ve just removed the capability to publish to the Fediverse for the selected users, do you want to also remove them from the Fediverse?', 'activitypub' ); ?></p>
+	<p><?php echo wp_kses( __( 'Fediverse deletion is optional but recommended to properly notify your followers. <strong>This action is irreversible.</strong>', 'activitypub' ), array( 'strong' => array() ) ); ?></p>
+	<form method="post" action="<?php echo esc_url( admin_url( 'admin-post.php' ) ); ?>">
+		<?php wp_nonce_field( 'bulk-users' ); ?>
+
+		<input type="hidden" name="action" value="delete_actor_confirmed" />
+		<input type="hidden" name="send_back" value="<?php echo esc_url( $send_back ); ?>" />
+
+		<div class="activitypub-user-list">
+			<ul>
+				<?php foreach ( $users as $user ) : ?>
+					<li>
+						<label>
+							<input type="checkbox" name="remove_from_fediverse[]" value="<?php echo esc_attr( $user->ID ); ?>" class="fediverse-removal-checkbox" />
+							<input type="hidden" name="selected_users[]" value="<?php echo esc_attr( $user->ID ); ?>" />
+							<strong><?php echo esc_html( $user->display_name ); ?></strong>
+						</label>
+					</li>
+				<?php endforeach; ?>
+			</ul>
+		</div>
+
+		<p class="submit">
+			<?php submit_button( __( 'Delete from Fediverse', 'activitypub' ), 'primary', 'submit', false ); ?>
+			<a href="<?php echo esc_url( $send_back ); ?>" class="button"><?php esc_html_e( 'Skip', 'activitypub' ); ?></a>
+		</p>
+	</form>
+</div>
+<?php
+require_once ABSPATH . 'wp-admin/admin-footer.php';
