Cascade-delete entities "owned" by User

[alexbudarov]

Security problem:

• Launch any Jmix app

• Create user "max", assign system-full-access role.

• Delete max

• Create new user "max", don't assign any roles

• Reopen "max". Oops, he has system-full-access role (left from previous user)

Solution:

• Determine list of entities in jmix modules that are "owned" by user entity and should be cascade-deleted with it.
• Develop mechanism of declaring on-user-delete logic in framework's addons.
• In Jmix project template - implement EntityChanged event listener calling all necessary cascade deletions for attached modules.

Preliminary list of what should be cascade-deleted:

• sec_role_assignment_entity
• ui_setting
• ui_table_presentation
• saved filters (when they will be implemented)

[andreysubbotin]

• Introduce application eventUserRemovedEvent(UserDetails). The event is fired when a user is removed.
• DatabaseUserRepository handles EntityChangedEvent for User entity and fires UserRemovedEvent
• Custom security implementations can fire an UserRemovedEvent event according to their logic.
• UI settings, table presentation, filters, role assignments subscribe to UserRemovedEvent and perform cleanup after a user was removed.

[andreysubbotin]

The security problem that is described in the ticket description should be fixed.
Rows assotiated with user (column username) from tables sec_role_assignment_entity, ui_setting, ui_table_presentation, ui_filter_configuration` should be removed while remove user entity.

[maistrenkoIulia]

1.1.0-SNAPSHOT - ok
Jmix version: 1.0.0-SNAPSHOT - ok