Allow admin to delete any user (except admins)

This commit is contained in:
rubenwardy 2021-08-04 21:50:35 +01:00
parent 6bbe2307e9
commit 562b0ceffe
4 changed files with 21 additions and 4 deletions

@ -270,13 +270,18 @@ def delete(username):
if request.method == "GET":
return render_template("users/delete.html", user=user, can_delete=user.can_delete())
if user.can_delete():
if "delete" in request.form and (user.can_delete() or current_user.rank.atLeast(UserRank.ADMIN)):
msg = "Deleted user {}".format(user.username)
flash(msg, "success")
addAuditLog(AuditSeverity.MODERATION, current_user, msg, None)
if current_user.rank.atLeast(UserRank.ADMIN):
for pkg in user.packages.all():
pkg.review_thread = None
db.session.delete(pkg)
db.session.delete(user)
else:
elif "deactivate" in request.form:
user.replies.delete()
for thread in user.threads.all():
db.session.delete(thread)
@ -286,6 +291,8 @@ def delete(username):
msg = "Deactivated user {}".format(user.username)
flash(msg, "success")
addAuditLog(AuditSeverity.MODERATION, current_user, msg, None)
else:
assert False
db.session.commit()

@ -115,7 +115,7 @@ class ForumTopic(db.Model):
topic_id = db.Column(db.Integer, primary_key=True, autoincrement=False)
author_id = db.Column(db.Integer, db.ForeignKey("user.id"), nullable=False)
author = db.relationship("User")
author = db.relationship("User", back_populates="forum_topics")
wip = db.Column(db.Boolean, server_default="0")
discarded = db.Column(db.Boolean, server_default="0")

@ -174,6 +174,7 @@ class User(db.Model, UserMixin):
tokens = db.relationship("APIToken", back_populates="owner", lazy="dynamic", cascade="all, delete, delete-orphan")
threads = db.relationship("Thread", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
replies = db.relationship("ThreadReply", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
forum_topics = db.relationship("ForumTopic", back_populates="author", lazy="dynamic", cascade="all, delete, delete-orphan")
def __init__(self, username=None, active=False, email=None, password=None):
self.username = username

@ -27,7 +27,16 @@
{% endif %}
<a class="btn btn-secondary mr-3" href="{{ url_for('users.account', username=user.username) }}">Cancel</a>
<input type="submit" value="{% if can_delete %}Delete{% else %}Deactivate{% endif %}" class="btn btn-danger" />
<input type="submit"
{% if can_delete %}
name="delete" value="Delete"
{% else %}
name="deactivate" value="Deactivate"
{% endif %}
class="btn btn-danger" />
{% if not can_delete and current_user.rank.atLeast(current_user.rank.ADMIN) %}
<input type="submit" name="delete" value="Delete Anyway" class="btn btn-danger ml-3" />
{% endif %}
</div>
</form>
{% endblock %}