From 380f22b859070725a2446cef7d7b250559f1ad27 Mon Sep 17 00:00:00 2001
From: Sebastian Spaeth <Sebastian@SSpaeth.de>
Date: Thu, 15 Nov 2012 10:44:38 +0100
Subject: [PATCH] Allowing to delete a user account (#302)

Add a "Delete user account" template and link to it from the user
account settings page.

Create a delete_account function and fill in most blanks. We can now
successfully delete our own account.

Thanks to Elrond for catching a stray csrf_exempt in a previous iteration
of this patch.

Signed-off-by: Sebastian Spaeth <Sebastian@SSpaeth.de>
---
 mediagoblin/edit/routing.py                   |  2 +
 mediagoblin/edit/views.py                     | 31 +++++++++++++
 .../mediagoblin/edit/delete_account.html      | 43 +++++++++++++++++++
 .../mediagoblin/edit/edit_account.html        |  1 +
 4 files changed, 77 insertions(+)
 create mode 100644 mediagoblin/templates/mediagoblin/edit/delete_account.html

diff --git a/mediagoblin/edit/routing.py b/mediagoblin/edit/routing.py
index d382e549..035a766f 100644
--- a/mediagoblin/edit/routing.py
+++ b/mediagoblin/edit/routing.py
@@ -22,3 +22,5 @@ add_route('mediagoblin.edit.legacy_edit_profile', '/edit/profile/',
     'mediagoblin.edit.views:legacy_edit_profile')
 add_route('mediagoblin.edit.account', '/edit/account/',
     'mediagoblin.edit.views:edit_account')
+add_route('mediagoblin.edit.delete_account', '/edit/account/delete/',
+    'mediagoblin.edit.views:delete_account')
diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py
index 9b7cab46..c656c63f 100644
--- a/mediagoblin/edit/views.py
+++ b/mediagoblin/edit/views.py
@@ -266,6 +266,37 @@ def edit_account(request):
          'form': form})
 
 
+@require_active_login
+def delete_account(request):
+    """Delete a user completely"""
+    user = request.user
+    if request.method == 'POST':
+        if request.form.get(u'confirmed'):
+            # Form submitted and confirmed. Actually delete the user account
+            # Log out user and delete cookies etc.
+            # TODO: Should we be using MG.auth.views.py:logout for this?
+            request.session.delete()
+
+            # Delete user account and all related media files etc....
+            request.user.delete()
+
+            # We should send a message that the user has been deleted
+            # successfully. But we just deleted the session, so we
+            # can't...
+            return redirect(request, 'index')
+
+        else: # Did not check the confirmation box...
+            messages.add_message(
+                request, messages.WARNING,
+                _('You need to confirm the deletion of your account.'))
+
+    # No POST submission or not confirmed, just show page
+    return render_to_response(
+        request,
+        'mediagoblin/edit/delete_account.html',
+        {'user': user})
+
+
 @require_active_login
 @user_may_alter_collection
 @get_user_collection
diff --git a/mediagoblin/templates/mediagoblin/edit/delete_account.html b/mediagoblin/templates/mediagoblin/edit/delete_account.html
new file mode 100644
index 00000000..6d56d77c
--- /dev/null
+++ b/mediagoblin/templates/mediagoblin/edit/delete_account.html
@@ -0,0 +1,43 @@
+{#
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#}
+{% extends "mediagoblin/base.html" %}
+
+{% import "/mediagoblin/utils/wtforms.html" as wtforms_util %}
+
+{% block mediagoblin_content %}
+
+  <form action="{{ request.urlgen('mediagoblin.edit.delete_account') }}"
+        method="POST" enctype="multipart/form-data">
+    <div class="form_box">
+      <h1>Really delete user '{{ user.username }}' and all related media/comments?
+      </h1>
+      <p class="delete_checkbox_box">
+	<input type="checkbox" name="confirmed"/>
+	<label for="confirmed">Yes, really delete my account</label>
+      </p>
+
+      <div class="form_submit_buttons">
+	<a class="button_action" href="{{ request.urlgen(
+                         'mediagoblin.user_pages.user_home',
+                          user=user.username) }}">{% trans %}Cancel{% endtrans %}</a>
+        {{ csrf_token }}
+        <input type="submit" value="{% trans %}Delete permanently{% endtrans %}" class="button_form" />
+      </div>
+    </div>
+  </form>
+{% endblock %}
diff --git a/mediagoblin/templates/mediagoblin/edit/edit_account.html b/mediagoblin/templates/mediagoblin/edit/edit_account.html
index 38d99893..fc556f55 100644
--- a/mediagoblin/templates/mediagoblin/edit/edit_account.html
+++ b/mediagoblin/templates/mediagoblin/edit/edit_account.html
@@ -53,4 +53,5 @@
       </div>
     </div>
   </form>
+  <a href="{{request.urlgen('mediagoblin.edit.delete_account')}}">Delete my account and all related media</a>
 {% endblock %}
-- 
2.25.1