OPES-1549: Allow to delete users #206

AaronGilMartinez · 2025-02-10T14:16:02Z

Fixes #184

tests/features/configure_authentication.feature

oe_authentication.permissions.yml

oe_authentication.module

config/schema/oe_authentication.schema.yml

oe_authentication.permissions.yml

oe_authentication.post_update.php

src/Form/AuthenticationSettingsForm.php

oe_authentication.module

donquixote

First batch of feedback.
I want to submit this already, but I still want to have a closer look at the new tests.

tests/features/user-management.feature

tests/Behat/AuthenticationContext.php

donquixote

some changes suggested, but not hard blockers.

config/install/oe_authentication.settings.yml

config/schema/oe_authentication.schema.yml

oe_authentication.module

oe_authentication.post_update.php

src/Form/AuthenticationSettingsForm.php

tests/Behat/AuthenticationContext.php

tests/features/user-management.feature

tests/Behat/AuthenticationContext.php

oe_authentication.module

donquixote · 2025-02-18T18:22:50Z

Some points we missed in our latest planning.

Conflict with default method

If we enable "Restrict options" setting, but set the default cancel method to something that deletes, then:

Users with option to choose a cancel method can only choose the remaining methods.
Users without that option, but permission to cancel their own account, can permanently delete their own account.

Interesting find in AccountSettingsForm:

    $form['registration_cancellation']['user_cancel_method'] += user_cancel_methods();
    foreach (Element::children($form['registration_cancellation']['user_cancel_method']) as $key) {
      // All account cancellation methods that specify #access cannot be
      // configured as default method.
      // @see hook_user_cancel_methods_alter()
      if (isset($form['registration_cancellation']['user_cancel_method'][$key]['#access'])) {
        $form['registration_cancellation']['user_cancel_method'][$key]['#access'] = FALSE;
      }
    }

See the comment about 'access' key.
This means that fixing the @todo about 'access' would actually fix one half of this dilemma.

Right now / with this PR, the available options in the account settings form are dependent on your user account, that is, whether you are uid 1.

I think this entire problem is not a regression, so we could move ahead and ignore it for now.

Which form to use

From UX perspective it seems this setting belongs into "Account settings" form, not "Authentication settings".
Only from the module developer perspective it would make sense to put it in "Authentication settings" because the functionality is provided by oe_authentication module.

TBD with rest of the team.

brummbar · 2025-02-19T08:24:14Z

As per #79 (comment), it's for the site developers to configure a proper default method when restricting the options. Since the module behaves already in that way, we won't add anything as part of this pull request. We could iterate in a different one.

oe_authentication.module

brummbar · 2025-02-19T08:28:06Z

oe_authentication.module

+  $current_user = \Drupal::currentUser();
+  $restrict_user_delete = \Drupal::configFactory()
+    ->get('oe_authentication.settings')
+    ->get('restrict_user_delete_cancel_methods');


We forgot to add a fallback to TRUE, just for the sake of it.

I thought we don't, and rely on upgrade path?
I don't mind if we add it..

I don't know we went back and forth a lot on this. I first said no, then I said ok to add it just to avoid any disruption.

brummbar · 2025-02-19T08:32:45Z

tests/features/user-management.feature

+    And I should see "Delete the account and make its content belong to the Anonymous user."
+
+  Scenario: Users should be able to delete other users when the configuration to
+  restrict the user delete options is not enabled.


Don't split this

AaronGilMartinez force-pushed the disable-delete-user branch 3 times, most recently from 4b81d7f to 3b80ff9 Compare February 11, 2025 08:41

AaronGilMartinez marked this pull request as ready for review February 11, 2025 08:43