Merge c235524 into 42da8bb

app/controllers/user_accounts_controller.rb

@@ -85,6 +85,22 @@ def update
     end
   end
 
+  # DELETE /user_accounts/:id
+  def destroy
+    do_load_resource
+    do_authorize_instance
+
+    if Access::Core.is_standard_user?(@user)
+      @user.destroy
+      respond_to do |format|
+        format.html { redirect_to user_accounts_path, notice: t('baw.shared.actions.user_deleted')}
+        format.json { respond_destroy }
+      end
+    else
+      fail CustomErrors::UnprocessableEntityError.new(t('baw.shared.actions.cannot_delete_account'))
+    end
+  end
+
   # PUT /my_account/prefs
   def modify_preferences
     @user = current_user

app/controllers/users/registrations_controller.rb

@@ -1,31 +1,35 @@
 class Users::RegistrationsController < Devise::RegistrationsController
-# before_filter :configure_sign_up_params, only: [:create]
-# before_filter :configure_account_update_params, only: [:update]
+  # before_filter :configure_sign_up_params, only: [:create]
+  # before_filter :configure_account_update_params, only: [:update]
 
-# GET /resource/sign_up
-# def new
-#   super
-# end
+  # GET /resource/sign_up
+  # def new
+  #   super
+  # end
 
-# POST /resource
-# def create
-#   super
-# end
+  # POST /resource
+  # def create
+  #   super
+  # end
 
-# GET /resource/edit
-# def edit
-#   super
-# end
+  # GET /resource/edit
+  # def edit
+  #   super
+  # end
 
-# PUT /resource
-# def update
-#   super
-# end
+  # PUT /resource
+  # def update
+  #   super
+  # end
 
 # DELETE /resource
-# def destroy
-#   super
-# end
+def destroy
+  if Access::Core.is_standard_user?(resource)
+    super
+  else
+    fail CustomErrors::UnprocessableEntityError.new(t('baw.shared.actions.cannot_delete_account'))
+  end
+end
 
 # GET /resource/cancel
 # Forces the session data which is usually expired after sign

app/models/ability.rb

@@ -502,7 +502,7 @@ def to_user(user, is_guest)
     can [:projects, :sites, :bookmarks, :audio_events, :audio_event_comments], User, id: user.id
 
     # users get their own account and preferences from these actions
-    can [:my_account, :modify_preferences], User, id: user.id
+    can [:my_account, :modify_preferences, :destroy], User, id: user.id
 
     # only logged in users can view a user's profile (read-only)
     can [:show, :filter], User unless is_guest

app/models/user.rb

@@ -67,11 +67,11 @@ def login
   has_many :created_saved_searches, -> { includes :project }, class_name: 'SavedSearch', foreign_key: :creator_id, inverse_of: :creator
   has_many :deleted_saved_searches, -> { includes :project }, class_name: 'SavedSearch', foreign_key: :deleter_id, inverse_of: :deleter
 
-  has_many :created_analysis_jobs, class_name: 'AnalysisJob', foreign_key: :creator_id, inverse_of: :creator
+  has_many :created_analysis_jobs, class_name: 'AnalysisJob', foreign_key: :creator_id, inverse_of: :creator, dependent: :destroy
   has_many :updated_analysis_jobs, class_name: 'AnalysisJob', foreign_key: :updater_id, inverse_of: :updater
   has_many :deleted_analysis_jobs, class_name: 'AnalysisJob', foreign_key: :deleter_id, inverse_of: :deleter
 
-  has_many :permissions, inverse_of: :user
+  has_many :permissions, inverse_of: :user, dependent: :destroy
   has_many :created_permissions, class_name: 'Permission', foreign_key: :creator_id, inverse_of: :creator
   has_many :updated_permissions, class_name: 'Permission', foreign_key: :updater_id, inverse_of: :updater
 

app/views/devise/registrations/edit.html.haml

@@ -17,12 +17,14 @@
     = render partial: 'shared/image_upload', locals: { f: f,  model_instance: resource, model_name: resource_name }
     = f.button :submit_cancel, t('devise.registrations.edit.update'), class: 'btn-default'
 
-%h3 Cancel my account
-%p
-  = t('devise.registrations.edit.unhappy')
-  %br/
-  = button_to t('devise.registrations.edit.cancel_my_account'), registration_path(resource_name),
-    data: { confirm: t('devise.registrations.edit.are_you_sure'), toggle: 'tooltip',  placement: 'right' },
-    title: 'WARNING: This will permanently delete your account',
-    method: :delete,
-    class: "btn btn-danger"
+-# WARNING! LOOK OUT! This MUST be at the top level or be wrapped in a separate form,
+-# otherwise other buttons on the form will delete the account!!!
+- if Access::Core.is_standard_user?(resource)
+  = form_tag(registration_path(resource_name)) do
+    %hr/
+    %h3 Dangerous actions
+    %p
+      = button_to t('devise.registrations.edit.cancel_my_account'), registration_path(resource_name),
+        data: { confirm: t('devise.registrations.edit.are_you_sure'), toggle: 'tooltip',  placement: 'right' },
+        title: 'WARNING: This will permanently delete your account',
+        method: :delete, class: 'btn btn-danger'

app/views/user_accounts/edit.html.haml

@@ -32,6 +32,7 @@
           Not Confirmed
           = f.button :submit, 'Confirm User', class: 'btn-default'
     = render partial: 'shared/image_upload', locals: { f: f,  model_instance: @user, model_name: 'user' }
+    = f.button :submit_cancel, 'Update User', class: 'btn-default'
     %hr/
     - [:confirmed_at,:reset_password_sent_at, :remember_created_at, :sign_in_count, :last_seen_at,
     :current_sign_in_at, :last_sign_in_at, :current_sign_in_ip, :last_sign_in_ip,
@@ -58,4 +59,15 @@
             - else
               %small
                 (no value)
-    = f.button :submit_cancel, 'Update User', class: 'btn-default'
+
+-# WARNING! LOOK OUT! This MUST be at the top level or be wrapped in a separate form,
+-# otherwise other buttons on the form will delete the account!!!
+- if Access::Core.is_standard_user?(@user)
+  = form_tag(user_account_path(@user)) do
+    %hr/
+    %h3 Dangerous actions
+    %p
+      = button_to "Delete user's account", user_account_path(@user),
+      data: { confirm: t('devise.registrations.edit.are_you_sure'), toggle: 'tooltip',  placement: 'right' },
+      title: "WARNING: This will permanently delete this user's account",
+      method: :delete, class: 'btn btn-danger'

config/locales/en/baw.en.yml

@@ -124,4 +124,7 @@ en:
         sign_in_with_provider:
           description: "Use %{provider} to sign in"
         job_status:
-          title: "Job Status"
+          title: "Job Status"
+      actions:
+        user_deleted: User was successfully deleted.
+        cannot_delete_account: Cannot delete this account.

config/routes.rb

@@ -102,7 +102,7 @@
   match 'user_accounts/filter' => 'user_accounts#filter', via: [:get, :post], defaults: {format: 'json'}
 
   # user list and user profile
-  resources :user_accounts, only: [:index, :show, :edit, :update], constraints: {id: /[0-9]+/} do
+  resources :user_accounts, only: [:index, :show, :edit, :update, :destroy], constraints: {id: /[0-9]+/} do
     member do
       get 'projects'
       get 'sites'

config/settings/default.yml

@@ -137,6 +137,7 @@ defaults: &defaults
     wavpack_executable: wvunpack
     shntool_executable: shntool
     wav2png_executable: wav2png
+    wac2wav_executable: wac2wavcmd
     imagemagick_convert_executable: convert
     imagemagick_identify_executable: identify
     max_duration_seconds: 300.0

spec/acceptance/user_accounts_spec.rb

@@ -176,10 +176,81 @@ def id_param
     standard_request_options(:put, 'UPDATE (as anonymous user)', :unauthorized, {remove_auth: true, expected_json_path: get_json_error_path(:sign_in)})
   end
 
+  ################################
+  # DESTROY
+  ################################
+  delete '/user_accounts/:id' do
+    id_param
+    let(:id) { admin_id }
+    let(:authentication_token) { admin_token }
+    standard_request_options(:delete, 'DESTROY (as admin, deleting same user)', :unprocessable_entity, {
+        expected_json_path: 'meta/error/details',
+        expected_body_content: I18n.t('baw.shared.actions.cannot_delete_account')})
+  end
+
+  delete '/user_accounts/:id' do
+    id_param
+    let(:id) { reader_id }
+    let(:authentication_token) { admin_token } # admins only can delete users using devise/registrations#destroy
+    standard_request_options(:delete, 'DESTROY (as admin, deleting other user)', :no_content, {
+        expected_response_has_content: false, expected_response_content_type: nil})
+  end
+
+  delete '/user_accounts/:id' do
+    id_param
+    let(:id) { writer_id }
+    let(:authentication_token) { writer_token }
+    standard_request_options(:delete, 'DESTROY (as writer, deleting same user)', :no_content)
+  end
+
+  delete '/user_accounts/:id' do
+    id_param
+    let(:id) { reader_id }
+    let(:authentication_token) { reader_token }
+    standard_request_options(:delete, 'DESTROY (as reader, deleting same user)', :no_content)
+  end
+
+  delete '/user_accounts/:id' do
+    id_param
+    let(:id) { no_access_id }
+    let(:authentication_token) { writer_token }
+    standard_request_options(:delete, 'DESTROY (as writer, deleting different user)', :forbidden, {expected_json_path: get_json_error_path(:permissions)})
+  end
+
+  delete '/user_accounts/:id' do
+    id_param
+    let(:id) { admin_id }
+    let(:authentication_token) { writer_token }
+    standard_request_options(:delete, 'DESTROY (as writer, deleting admin user)', :forbidden, {expected_json_path: get_json_error_path(:permissions)})
+  end
+
+  delete '/user_accounts/:id' do
+    id_param
+    let(:id) { writer_id }
+    let(:authentication_token) { invalid_token }
+    standard_request_options(:delete, 'DESTROY (with invalid token)', :unauthorized, {expected_json_path: get_json_error_path(:sign_up)})
+  end
+
+  delete '/user_accounts/:id' do
+    id_param
+    let(:id) { writer_id }
+    standard_request_options(:delete, 'DESTROY (as anonymous user)', :unauthorized, {remove_auth: true, expected_json_path: get_json_error_path(:sign_in)})
+  end
+
   ################################
   # MY ACCOUNT
   ################################
 
+  get '/my_account' do
+    let(:authentication_token) { admin_token }
+    standard_request_options(:get, 'MY ACCOUNT (as admin)', :ok, {expected_json_path: 'data/user_name'})
+  end
+
+  get '/my_account' do
+    let(:authentication_token) { writer_token }
+    standard_request_options(:get, 'MY ACCOUNT (as writer)', :ok, {expected_json_path: 'data/user_name'} )
+  end
+
   get '/my_account' do
     let(:authentication_token) { reader_token }
     standard_request_options(:get, 'MY ACCOUNT (as reader)', :ok, {expected_json_path: 'data/user_name'})
@@ -194,6 +265,43 @@ def id_param
     standard_request_options(:get, 'MY ACCOUNT (as anonymous user)', :unauthorized, {remove_auth: true, expected_json_path: get_json_error_path(:sign_up)})
   end
 
+  ################################
+  # MY ACCOUNT (DESTROY)
+  ################################
+
+  delete '/my_account' do
+    let(:authentication_token) { admin_token }
+    standard_request_options(:delete, 'DESTROY (as admin)', :unprocessable_entity, {
+        expected_json_path: 'meta/error/details',
+        expected_body_content: I18n.t('baw.shared.actions.cannot_delete_account')})
+  end
+
+  delete '/my_account' do
+    let(:authentication_token) { harvester_token }
+    standard_request_options(:delete, 'DESTROY (as harvester)', :unprocessable_entity, {
+        expected_json_path: 'meta/error/details',
+        expected_body_content: I18n.t('baw.shared.actions.cannot_delete_account')})
+  end
+
+  delete '/my_account' do
+    let(:authentication_token) { writer_token }
+    standard_request_options(:delete, 'DESTROY (as writer)', :no_content)
+  end
+
+  delete '/my_account' do
+    let(:authentication_token) { reader_token }
+    standard_request_options(:delete, 'DESTROY (as reader)', :no_content)
+  end
+
+  delete '/my_account' do
+    let(:authentication_token) { invalid_token }
+    standard_request_options(:delete, 'DESTROY (with invalid token)', :unauthorized, {expected_json_path: get_json_error_path(:sign_up)})
+  end
+
+  delete '/my_account' do
+    standard_request_options(:delete, 'DESTROY (as anonymous user)', :unauthorized, {remove_auth: true, expected_json_path: get_json_error_path(:sign_in)})
+  end
+
   ################################
   # UPDATE PREFERENCES
   ################################