BC-10975 - user admin-api for proper user Deletion (#337)

Author: virgilchiriac

controllers/accounts.js

@@ -88,23 +88,8 @@ const getDeleteHandler = (service) => {
     return async function (req, res, next) {
         try {
             const { id } = req.params;
-            const { userId } = await api(req, { useCallback: false, json: true, version: 'v3' })
+            await api(req, { useCallback: false, json: true, version: 'v3' })
                 .delete(`/${service}/${id}`);
-            const user = await api(req)
-                .get('/users/' + userId, { qs: { $populate: ['roles'] } });
-            const roles = user.roles.map((role) => {
-                return role.name;
-            });
-            const pathRole = getMostSignificantRole(roles);
-
-            if (pathRole === undefined) {
-                const error = new Error('Deletion is supported only for users with role student, teacher or administrator.');
-                error.status = 403;
-                throw error;
-            }
-
-            const data = await api(req)
-                .delete(`/users/v2/admin/${pathRole}/${userId}`);
 
             res.redirect(req.header('Referer'));
         } catch (err) {

controllers/users.js

@@ -257,35 +257,18 @@ const getMostSignificantRole = (roles) => {
 };
 
 const getDeleteHandler = (service) => {
-	let roles;
-	return function (req, res, next) {
-		api(req)
-			.get('/users/' + req.params.id, { qs: { $populate: ['roles'] } })
-			.then(async (user) => {
-				roles = user.roles.map((role) => {
-					return role.name;
-				});
-				return roles;
-			})
-			.then((roles) => {
-				const pathRole = getMostSignificantRole(roles);
-				if (pathRole === undefined) {
-					const error = new Error('Deletion is supported only for users with role student, teacher or administrator.');
-					error.status = 403;
-					throw error;
-				}
-				api(req)
-					.delete(`/users/v2/admin/${pathRole}/${req.params.id}`)
-					.then((data) => {
-						res.redirect(req.header('Referer'));
-					})
-					.catch((err) => {
-						next(err);
-					});
-			})
-			.catch((err) => {
-				next(err);
+	return async function (req, res, next) {
+		try {
+			const userId = req.params.id;
+
+			await api(req, { adminApi: true }).post(`/deletionRequests`, {
+				json: { targetRef: { domain: 'user', id: userId },  deleteAfterMinutes: 0 },
 			});
+
+			res.redirect(req.header('Referer'));
+		} catch (err) {
+			next(err);
+		}
 	};
 };
 // secure routes

views/accounts/accounts.hbs

@@ -28,7 +28,7 @@
         {{/embed}}
         {{#embed "lib/components/modal-form" roles=roles method="delete" class="delete-modal"}}
             {{#content "fields"}}
-                {{> "lib/components/delete-form-user"}}
+                {{> "lib/components/delete-form-account"}}
             {{/content}}
         {{/embed}}
         {{#embed "lib/components/modal-form" class="reglink-modal"}}

views/lib/components/delete-form-account.hbs

@@ -0,0 +1,6 @@
+<div class="form-group">
+    <label class="control-label" for="name">Sind Sie sich sicher, dass Sie das folgende Element löschen wollen? <br /> <br />
+        Dadurch wird nur der Account-Eintrag selbst gelöscht.<br />
+        Wenn Sie den Benutzer und alle seine Daten löschen möchten, tun Sie dies über die Benutzerverwaltungsseite.</label>
+    <input type="text" name="displayName" id="name" class="form-control" disabled>
+</div>

views/lib/components/delete-form-user.hbs

@@ -1,4 +1,6 @@
 <div class="form-group">
-    <label class="control-label" for="name">Sind Sie sich sicher, dass Sie das folgende Element löschen wollen?</label>
+    <label class="control-label" for="name">Sind Sie sich sicher, dass Sie das folgende Element löschen wollen? <br />
+        Dadurch werden <b>der Benutzer und alle seine Daten</b> dauerhaft gelöscht.
+    </label>
     <input type="text" name="displayName" id="name" class="form-control" disabled>
 </div>