Add a button for admins to dangerously destroy users, and move user-settings path to be under participants

Author: Redande

app/controllers/settings_controller.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+class SettingsController < ApplicationController
+  skip_authorization_check
+
+  before_action :set_user
+
+  def show
+    authorize! :read, @user
+  end
+
+  def update
+    authorize! :update, @user
+    set_email
+    password_changed = maybe_update_password(@user, params[:user])
+    user_field_changes = set_user_fields
+
+    begin
+      log_user_field_changes(user_field_changes)
+    rescue StandardError
+    end
+
+    if @user.errors.empty? && @user.save
+      flash[:notice] = if password_changed
+        'Changes saved and password changed'
+      else
+        'Changes saved'
+      end
+      redirect_to participant_settings_path(@user)
+    else
+      flash.now[:error] = 'Failed to save profile'
+      render action: :show, status: :forbidden
+    end
+  end
+
+  def dangerously_destroy_user
+    im_sure = params[:im_sure]
+    if im_sure != '1'
+      redirect_to verify_dangerously_destroying_user_participant_settings_url, notice: 'Please check the checkbox after you have read the instructions.'
+      return
+    end
+    @user = authenticate_current_user_destroy
+    username = @user.login
+    sign_out if current_user == @user
+    email = @user.email
+    username = @user.login
+    @user.destroy
+    RecentlyChangedUserDetail.deleted.create!(old_value: false, new_value: true, email: email, username: username)
+    redirect_to root_url, notice: "The account #{username} (#{email}) has been permanently destroyed."
+  end
+
+  def verify_dangerously_destroying_user
+    @user = authenticate_current_user_destroy
+  end
+
+  private
+
+    def authenticate_current_user_destroy
+      user = User.find(params[:participant_id])
+      authorize! :destroy, user
+      user
+    end
+
+    def set_user
+      @user = User.find(params[:participant_id])
+    end
+
+    def set_email
+      user_params = params[:user]
+
+      return if !@user.new_record? && user_params[:email_repeat].blank?
+
+      if user_params[:email].blank?
+        @user.errors.add(:email, 'needed')
+      elsif user_params[:email] != user_params[:email_repeat]
+        @user.errors.add(:email_repeat, 'did not match')
+      else
+        @user.email = user_params[:email].strip
+      end
+    end
+
+    def maybe_update_password(user, user_params)
+      if user_params[:old_password].present? || user_params[:password].present?
+        if !user.has_password?(user_params[:old_password])
+          user.errors.add(:old_password, 'incorrect')
+        elsif user_params[:password] != user_params[:password_repeat]
+          user.errors.add(:password_repeat, 'did not match')
+        elsif user_params[:password].blank?
+          user.errors.add(:password, 'cannot be empty')
+        else
+          user.password = user_params[:password]
+        end
+        true
+      else
+        false
+      end
+    end
+
+    def set_user_fields
+      return if params[:user_field].nil?
+      changes = {}
+      UserField.all.select { |f| f.visible_to?(current_user) }.each do |field|
+        value_record = @user.field_value_record(field)
+        old_value = value_record.ruby_value
+        value_record.set_from_form(params[:user_field][field.name])
+        new_value = value_record.ruby_value
+        changes[field.name] = { from: old_value, to: new_value } unless new_value == old_value
+      end
+      changes
+    end
+end

app/views/participants/_nav.html.erb

@@ -1,7 +1,7 @@
 <nav class="nav nav-tabs nav-justified">
   <%= active_on_current_path_link_to fa_icon("user lg", text: 'Overview'), participant_path(@user), class: 'nav-item nav-link' %>
   <%= active_on_current_path_link_to fa_icon("certificate lg", text: 'Certificates'), participant_certificates_path(@user), class: 'nav-item nav-link' %>
-  <%= active_on_current_path_link_to fa_icon("cog lg", text: 'Settings'), user_path, class: 'nav-item nav-link' %>
+  <%= active_on_current_path_link_to fa_icon("cog lg", text: 'Settings'), participant_settings_path(@user), class: 'nav-item nav-link' %>
 </nav>
 
 <br>

app/views/settings/_form.html.erb

@@ -0,0 +1,65 @@
+<%= form_for @user, url: { :action => :update, :class => "form-horizontal" }, autocomplete: "off" do |f| %>
+  <%= render 'shared/error_messages', :target => @user %>
+
+  <section>
+    <h2>User account</h2>
+    <% unless local_assigns[:hide_login] %>
+      <div class="alert alert-info" role="alert">
+        Your <i>username</i> will be visible to everyone for example in public scoreboards. <br>
+        Therefore it should <b>not</b> contain your student number or your
+        email address.
+      </div>
+      <%= bs_labeled_field('Username', f.text_field(:login, :disabled => !@user.new_record?, class: 'form-control')) %>
+    <% end%>
+    <%= bs_labeled_field('E-mail:', f.text_field(:email, class: 'form-control')) %>
+    <%= bs_labeled_field('Confirm e-mail:', f.text_field(:email_repeat, :value => '', class: 'form-control stop-autofilling', autocomplete: 'off', type: 'email')) %>
+  </section>
+
+  <% if @user.new_record? %>
+    <section>
+      <h2>Password</h2>
+      <%= bs_labeled_field('Password:', f.password_field(:password, :value => '', :autocomplete => 'off', class: 'form-control')) %>
+      <%= bs_labeled_field('Confirm password:', f.password_field(:password_repeat, :value => '', :autocomplete => 'off', class: 'form-control')) %>
+    </section>
+  <% else %>
+    <section>
+      <h2>Change password</h2>
+      <%= bs_labeled_field('Old password:', f.password_field(:old_password, :value => '', class: 'form-control stop-autofilling', autocomplete: 'off')) %>
+      <%= bs_labeled_field('New password:', f.password_field(:password, :value => '', class: 'form-control'), autocomplete: 'off') %>
+      <%= bs_labeled_field('Confirm new password:', f.password_field(:password_repeat, :value => '', class: 'form-control', autocomplete: 'off')) %>
+    </section>
+  <% end %>
+
+  <% if !UserField.all.empty? %>
+    <section>
+      <% for group in UserField.groups %>
+        <% if UserField.by_group(group).any? {|field| field.visible_to?(@user) } %>
+          <h2><%= group %></h2>
+          <% for field in UserField.by_group(group) %>
+            <% if field.visible_to?(@user) %>
+              <%= extra_field(@user.field_value_record(field), :form_scope => 'user_field') %>
+            <% end %>
+          <% end %>
+        <% end %>
+      <% end %>
+    </section>
+  <% end %>
+
+  <section>
+    <% if @user.new_record? %>
+      <%= f.submit "Sign up", class: "btn btn-primary" %>
+    <% else %>
+      <%= f.submit "Save", class: "btn btn-primary" %>
+    <% end %>
+  </section>
+<% end %>
+<br>
+
+
+<script>
+  setTimeout(function() {
+    document.querySelectorAll('.stop-autofilling').forEach(function(e) {
+      e.value = ""
+    })
+  }, 500)
+</script>

app/views/settings/show.html.erb

@@ -0,0 +1,13 @@
+<%= render partial: 'participants/nav' %>
+
+<%= render :partial => 'settings/form', :user => @user, locals: { hide_login: true } %>
+
+<% if can? :destroy, @user %>
+  <%= button_to 'Request deleting account', send_destroy_email_path(@user.id), method: :post, class: 'btn btn-danger' %>
+<% end %>
+
+<br>
+
+<% if current_user.administrator? %>
+  <%= button_to 'Dangerously destroy account', dangerously_destroy_user_participant_settings_path(@user.id), method: :post, class: 'btn btn-danger' %>
+<% end %>

app/views/settings/verify_dangerously_destroying_user.html.erb

@@ -0,0 +1,24 @@
+<h1>Confirm deleting account: <%= @user.username %> (<%= @user.email %>)</h1>
+
+<div class="jumbotron hero-unit-alert alert-danger">
+  Before deleting this user, make sure they don't have any submissions. If they have submissions, advice them to delete their own account by pressing "Request deleting account" -button themselves from their User settings.
+</div>
+
+
+<%= form_tag(dangerously_destroy_user_participant_settings_path, method: :delete, class: 'form-horizontal') do  %>
+  <div class="form-group">
+    <%= check_box_tag :im_sure %>
+    <%= label_tag "I've read the above and I'm sure I understand the consequences", nil, class: "control-label", for: :im_sure %>
+  </div>
+  <p><strong>Pressing the button below will permanently destroy this mooc.fi account.</strong></p>
+  <%= submit_tag("Destroy this account permanently", class: "btn btn-danger", data: { confirm: "Are you sure you want to delete the account #{@user.login}?"}, disabled: "disabled", id: :destroy_button) %>
+<% end %>
+
+
+<script>
+  var checkBox = document.getElementById('im_sure')
+  var destroyButton = document.getElementById('destroy_button')
+  checkBox.addEventListener("click", function() {
+    destroyButton.disabled = !checkBox.checked
+  })
+</script>

config/routes.rb

@@ -236,6 +236,11 @@
   resource :user
 
   resources :participants do
+    resource :settings, only: [:show, :update] do
+      post 'dangerously_destroy_user', to: 'settings#dangerously_destroy_user'
+      get 'verify_dangerously_destroying_user', to: 'settings#verify_dangerously_destroying_user'
+      delete 'dangerously_destroy_user', to: 'settings#dangerously_destroy_user'
+    end
     resources :certificates, only: [:index]
     collection do
       get 'me', to: 'participants#me'