Unverified Commit 7d38cc48 authored by Luc Didry's avatar Luc Didry
Browse files

Follow-up #300 — Add confirmation step before account deletion

parent 4ede76ba
<!-- confirm_action.tt2 -->
[%#
# Set h2 title and text of confirmation page
#%]
[% IF confirm_action == 'add' ~%]
[% IF previous_action == 'show_exclude' ~%]
<h2><i class="fa fa-check-circle"></i>
......@@ -79,6 +82,15 @@
<p><strong>
[%|loc%]Do you really want to unsubscribe ALL selected subscribers?[%END%]
</strong></p>
[%~ ELSIF confirm_action == 'delete_account' ~%]
<h2><i class="fa fa-check-circle"></i>
[%|loc%]Delete my account[%END%]
</h2>
<p><strong>
[%|loc%]Do you really want to unsubscribe you from all your lists, remove your ownership of your lists and permanently delete your account?[%END%]
<br />
[%|loc%]Please note that you will not be able to delete your account if you are the only owner of one or more list.[%END%]
</strong></p>
[%~ ELSIF confirm_action == 'auth_add' ~%]
<h2><i class="fa fa-check-circle"></i>
[%|loc%]Add subscribers[%END%]
......@@ -226,6 +238,11 @@
</strong></p>
[%~ END %]
[%#
# Create the form.
# Add hidden fields containing the values of the form you want to confirm
# %]
<form action="[% path_cgi %]" method="POST">
[% IF confirm_action == 'add' ~%]
[% FOREACH e = email ~%]
......@@ -291,6 +308,11 @@
[% IF quiet %]checked="checked"[%END%] />
<label for="quiet">[%|loc%]Quiet (don't send deletion email)[%END%]</label>
</div>
[%~ ELSIF confirm_action == 'delete_account' ~%]
<fieldset>
<input type="hidden" name="passwd" value="x"/>
<input type="hidden" name="i_understand_the_consequences" value="1"/>
</fieldset>
[%~ ELSIF confirm_action == 'distribute' ~%]
[% FOREACH i = id ~%]
<input type="hidden" name="id" value="[% i %]" />
......@@ -354,9 +376,17 @@
value="[% i.value.value.replace('\n', '&#10;') %]" />
[%~ END %]
[%~ END %]
[%#
# Confirmation common hidden fields
#%]
<input type="hidden" name="action" value="[% confirm_action %]" />
<input type="hidden" name="list" value="[% list %]" />
<input type="hidden" name="previous_action" value="[% previous_action %]" />
[%#
# Submit and cancel buttons
#%]
[% IF confirm_action == 'arc' || confirm_action == 'arcsearch_id' ~%]
<div>
<input class="MainMenuLinks" type="submit"
......
......@@ -80,7 +80,7 @@
<fieldset>
<label for="password_for_account_deletion">[%|loc%]Enter your password:[%END%]</label>
<input type="password" name="passwd" id="password_for_account_deletion" size="25" />
<input type="checkbox" name="i_understand_the_consequences" id="i_understand_the_consequences" required><label for="i_understand_the_consequences">[%|loc%]I understand that I will be unsubscribed from all my lists and that my account will be permanently deleted[%END%]</label>
<input type="checkbox" name="i_understand_the_consequences" id="i_understand_the_consequences" required><label for="i_understand_the_consequences">[%|loc%]I understand that I will be unsubscribed from all my lists and that my account will be permanently deleted.[%END%]</label>
<br />
<input class="MainMenuLinks" type="submit" name="action_delete_account" value="[%|loc%]Submit[%END%]" />
</fieldset>
......
......@@ -17155,13 +17155,18 @@ sub do_auth {
}
 
sub do_delete_account {
wwslog('info', sprintf('Account deletion: %s asked for its account to be deleted', $param->{'user'}->{'email'}));
wwslog(
'info',
sprintf('Account deletion: %s asked for its account to be deleted',
$param->{'user'}->{'email'})
);
 
# Show form if HTTP POST method not used.
return 1 unless $ENV{'REQUEST_METHOD'} eq 'POST';
 
my $email = Sympa::Tools::Text::canonic_email($param->{'user'}->{'email'});
my $passwd = delete $in{'passwd'}; # Clear it.
my $email =
Sympa::Tools::Text::canonic_email($param->{'user'}->{'email'});
my $passwd = delete $in{'passwd'}; # Clear it.
 
unless ($email) {
Sympa::WWW::Report::reject_report_web('user', 'no_email', {},
......@@ -17177,6 +17182,10 @@ sub do_delete_account {
return 'pref';
}
 
my $next_action =
$session->confirm_action($in{'action'}, $in{'response_action'},
previous_action => 'pref');
unless ($passwd) {
Sympa::WWW::Report::reject_report_web('user', 'missing_arg',
{'argument' => 'passwd'},
......@@ -17194,7 +17203,8 @@ sub do_delete_account {
 
my $data;
 
unless ($data = Sympa::WWW::Auth::check_auth($robot, $email, $passwd)) {
unless (($next_action eq '1')
|| ($data = Sympa::WWW::Auth::check_auth($robot, $email, $passwd))) {
$log->syslog('notice', 'Authentication failed');
web_db_log(
{ 'parameters' => $email,
......@@ -17206,8 +17216,9 @@ sub do_delete_account {
return 'pref';
}
 
return $next_action unless $next_action eq '1';
$param->{'email'} = $email;
$param->{'user'} = $data->{'user'};
 
_set_my_lists_info();
 
......@@ -17215,9 +17226,11 @@ sub do_delete_account {
for my $list (sort keys %{$param->{'which'}}) {
my $l = Sympa::List->new($list, $robot);
# Unsubscribe
$l->delete_list_member('users' => [$email]) if $param->{'which'}->{$list}->{'is_subscriber'};
$l->delete_list_member('users' => [$email])
if $param->{'which'}->{$list}->{'is_subscriber'};
# Remove from the editors
$l->delete_list_admin('editor', $email) if $param->{'which'}->{$list}->{'is_editor'};
$l->delete_list_admin('editor', $email)
if $param->{'which'}->{$list}->{'is_editor'};
# Remove from the owners
if ($param->{'which'}->{$list}->{'is_owner'}) {
my @admins = $l->get_admins('owner');
......@@ -17229,20 +17242,26 @@ sub do_delete_account {
unless (scalar(@privileged_admins)) {
@admins = $l->get_admins('owner');
for my $admin (@admins) {
$l->update_list_admin($admin->{email}, 'owner', {profile => 'privileged'});
$l->update_list_admin($admin->{email}, 'owner',
{profile => 'privileged'});
}
}
} else {
wwslog('info', sprintf('Account deletion: %s is the only owner of %s. The account will not be deleted.', $email, $list));
wwslog(
'info',
sprintf(
'Account deletion: %s is the only owner of %s. The account will not be deleted.',
$email, $list
)
);
push @only_owner, $list;
}
}
}
 
if (@only_owner) {
Sympa::WWW::Report::reject_report_web('user', 'still_owner',
{ lists => join(', ', @only_owner) },
{lists => join(', ', @only_owner)},
$param->{'action'});
return 'pref';
}
......@@ -17250,9 +17269,14 @@ sub do_delete_account {
my $user = Sympa::User->new($email);
$user->expire;
 
wwslog('info', sprintf('Account deletion: the account of %s has been deleted', $email));
wwslog(
'info',
sprintf('Account deletion: the account of %s has been deleted',
$email)
);
 
Sympa::WWW::Report::notice_report_web('account_deleted', {}, $param->{'action'});
Sympa::WWW::Report::notice_report_web('account_deleted', {},
$param->{'action'});
 
do_logout();
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment