Don't show deleted users on admin pages

hypothesis · May 30, 2024 · 3923a3d · 3923a3d
1 parent 41e805b
commit 3923a3d
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/h/views/admin/users.py b/h/views/admin/users.py
@@ -42,6 +42,23 @@ def users_index(request):
         if user is None:
             user = models.User.get_by_email(request.db, username, authority)
 
+    if (user is not None) and user.deleted:
+        # Don't show users that're marked as deleted on admin pages.
+        #
+        # Users that're marked as deleted can't login or authenticate requests
+        # in any way. They're in the process of being purged by a background
+        # task and will soon be really deleted from the DB.
+        #
+        # Showing these users on admin pages is confusing because admins may
+        # have already deleted a user (so the user has been marked as deleted
+        # and is now going to be purged) and then think that the user has not
+        # been deleted successfully because they still show up on the admin
+        # pages.
+        #
+        # Also we don't want admins to be able to do things like rename users
+        # who're marked as deleted and in the process of being purged.
+        user = None
+
     if user is not None:
         svc = request.find_service(name="annotation_stats")
         user_meta["annotations_count"] = svc.total_user_annotation_count(user.userid)

diff --git a/tests/unit/h/views/admin/users_test.py b/tests/unit/h/views/admin/users_test.py
@@ -94,6 +94,24 @@ def test_users_index_no_user_found(models, pyramid_request):
     }
 
 
+@users_index_fixtures
+def test_users_index_user_marked_as_deleted(models, pyramid_request, factories):
+    pyramid_request.params = {"username": "bob", "authority": "foo.org"}
+    user = factories.User.build(username="bob", authority="foo.org", deleted=True)
+    models.User.get_by_username.return_value = user
+
+    result = users_index(pyramid_request)
+
+    assert result == {
+        "default_authority": "example.com",
+        "username": "bob",
+        "authority": "foo.org",
+        "user": None,
+        "user_meta": {},
+        "format_date": format_date,
+    }
+
+
 @users_index_fixtures
 def test_users_index_user_found(
     models, pyramid_request, factories, annotation_stats_service