Add deleting user

Requesting deletion sends a confirmation email. Clicking the link redirects to a site with some warnings and the final destroy button. Admins can delete any accounts, ordinary users can destroy their own account.

Author: Irene

app/controllers/application_controller.rb

@@ -21,10 +21,15 @@ class ApplicationController < ActionController::Base
   include BreadcrumbHelpers
   include EmbeddableHelper
   include AuthorizeCollectionHelper
+  include ApplicationHelper
   check_authorization
 
   rescue_from CanCan::AccessDenied do |_exception|
-    respond_access_denied
+    if current_user.guest?
+      redirect_to(login_path(return_to: return_to_link))
+    else
+      respond_access_denied
+    end
   end
 
   rescue_from ActiveRecord::RecordNotFound do |exception|

app/controllers/users_controller.rb

@@ -85,15 +85,40 @@ def confirm_email
   end
 
   def send_verification_email
-    user = User.find(params[:user_id])
-    raise 'Access denied' if user != current_user && !current_user.admin?
+    user = authenticate_current_user
     raise 'Already verified' if user.email_verified?
     UserMailer.email_confirmation(user).deliver_now
     redirect_to root_path, notice: "Verification email sent to #{user.email}."
   end
 
+  def verify_destroying_user
+    @user = authenticate_current_user
+    token = VerificationToken.delete_user.find_by!(user: @user, token: params[:id])
+  end
+
+  def destroy_user
+    user = authenticate_current_user
+    token = VerificationToken.delete_user.find_by!(user: user, token: params[:id])
+    username = user.login
+    sign_out if current_user == user
+    user.destroy
+    redirect_to root_url, notice: "The account #{username} has been permanently destroyed."
+  end
+
+  def send_destroy_email
+    user = authenticate_current_user
+    UserMailer.destroy_confirmation(user).deliver_now
+    redirect_to root_path, notice: "Verification email sent to #{user.email}."
+  end
+
   private
 
+  def authenticate_current_user
+    user = User.find(params[:user_id])
+    authorize! :destroy, user
+    user
+  end
+
   def set_email
     user_params = params[:user]
 

app/mailers/user_mailer.rb

@@ -6,6 +6,13 @@ def email_confirmation(user)
     mail(from: SiteSetting.value('emails')['from'], to: user.email, subject: "Confirm your TestMyCode Account email address")
   end
 
+  def destroy_confirmation(user)
+    @user = user
+    token = user.verification_tokens.delete_user.create!
+    @url = base_url + verify_destroying_user_path(@user.id, token.token)
+    mail(from: SiteSetting.value('emails')['from'], to: user.email, subject: "Confirm deleting your TestMyCode account")
+  end
+
 
   private
 

app/models/ability.rb

@@ -37,6 +37,11 @@ def initialize(user)
       end
 
       can :create, User if SiteSetting.value(:enable_signup)
+      cannot :destroy, User
+      can :destroy, User do |u|
+        user.administrator? ||
+        u == user
+      end
 
       cannot :read, Course
       can :read, Course do |c|

app/models/verification_token.rb

@@ -4,7 +4,7 @@ class VerificationToken < ActiveRecord::Base
 
   belongs_to :user
 
-  enum type: [:email]
+  enum type: [:email, :delete_user]
 
   validates :type, presence: true
   validates :user, presence: true

app/views/user_mailer/destroy_confirmation.html.erb

@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  </head>
+  <body>
+    <p>Hello!</p>
+
+    <p>You have requested deleting your TestMyCode account "<%= @user.login %>".</p>
+
+    <p>Please proceed to the following link to continue the deletion process.</p>
+
+    <a href="<%= @url %>"><%= @url %></a>
+
+    <p>If you didn't request deleting your account, just ignore this message.</p>
+  </body>
+</html>

app/views/user_mailer/destroy_confirmation.text.erb

@@ -0,0 +1,9 @@
+Hello!
+
+You have requested deleting your TestMyCode account "<%= @user.login %>".
+
+Please proceed to the following link to continue the deletion process.
+
+<%= @url %>
+
+If you didn't request deleting your account, just ignore this message.

app/views/users/show.html.erb

@@ -3,3 +3,5 @@
 <h1><%= @user.login %></h1>
 
 <%= render :partial => 'users/form', :user => @user %>
+
+<%= button_to 'Request deleting account', send_destroy_email_path(@user.id), method: :post, class: 'btn btn-danger' %>

app/views/users/verify_destroying_user.html.erb

@@ -0,0 +1,29 @@
+<h1>Deleting the account <%= @user.login %></h1>
+
+<div class="alert alert-danger">
+  Deleting your account will have the following consequences:
+    <ul>
+      <li>You will lose all your acquired exercise points. We will not be able to recover them.</li>
+      <li>You will not be able to receive a grade from any TestMyCode course.</li>
+      <li>We will not be able to verify the authencity of any certificates that you have generated.</li>
+    <ul>
+</div>
+
+<p><strong>Pressing the button below will permanently destroy your TestMyCode account.</strong></p>
+
+<%= form_tag(destroy_user_path, method: :delete, class: 'form-horizontal') do  %>
+  <div class="form-group">
+    <%= check_box_tag :im_sure %>
+    <%= label_tag "I've read the above and I'm sure I understand the consequences", nil, class: "control-label", for: :im_sure %>
+  </div>
+  <%= submit_tag("Destroy my account permanently", class: "btn btn-danger", data: { confirm: "Are you sure you want to delete the account #{@user.login}?"}, disabled: "disabled", id: :destroy_button) %>
+<% end %>
+
+
+<script>
+  var checkBox = document.getElementById('im_sure')
+  var destroyButton = document.getElementById('destroy_button')
+  checkBox.addEventListener("click", function() {
+    destroyButton.disabled = !checkBox.checked
+  })
+</script>

config/routes.rb

@@ -230,6 +230,10 @@
   get '/users/:user_id/verify/:id', to: 'users#confirm_email', as: 'confirm_email'
   post '/users/:user_id/send_verification_email', to: 'users#send_verification_email', as: 'send_verification_email'
 
+  post '/users/:user_id/send_destroy_email', to: 'users#send_destroy_email', as: 'send_destroy_email'
+  get '/users/:user_id/destroy/:id', to: 'users#verify_destroying_user', as: 'verify_destroying_user'
+  delete '/users/:user_id/destroy/:id/destroy_user', to: 'users#destroy_user', as: 'destroy_user'
+
   resources :certificates, only: [:show, :create]
 
   resources :emails, only: [:index]