cgi/deluser.cgi

   1 #!/usr/bin/perl
   2
   3 # deluser.cgi -- support for user deletion via web
   4 # Copyright (c) 2013 Kyle J. McKay.  All rights reserved.
   5 # Portions (c) Petr Baudis <pasky@suse.cz> and (c) Jan Krueger <jk@jk.gs>
   6 # License GPLv2+: GNU GPL version 2 or later.
   7 # www.gnu.org/licenses/gpl-2.0.html
   8 # This is free software: you are free to change and redistribute it.
   9 # There is NO WARRANTY, to the extent permitted by law.
  10
  11 use strict;
  12 use warnings;
  13
  14 use lib "__BASEDIR__";
  15 use Girocco::CGI;
  16 use Girocco::Config;
  17 use Girocco::User;
  18 use Girocco::Util;
  19 binmode STDOUT, ':utf8';
  20
  21 my $gcgi = Girocco::CGI->new('User Removal');
  22 my $cgi = $gcgi->cgi;
  23
  24 unless ($Girocco::Config::manage_users) {
  25         print "<p>I don't manage users.</p>";
  26         exit;
  27 }
  28
  29 if ($cgi->param('mail')) {
  30         print "<p>Go away, bot.</p>";
  31         exit;
  32 }
  33
  34 if (my $romsg=check_readonly(1)) {
  35         print "<p>$romsg</p>\n";
  36         exit;
  37 }
  38
  39 sub _auth_form {
  40         my ($name, $submit) = @_;
  41         print <<EOT;
  42 <form method="post" action="@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi">
  43 <input type="hidden" name="name" value="$name" />
  44 <p>Authorization code: <input name="auth" size="50" /></p>
  45 <p><input type="submit" name="y0" value="$submit" /></p>
  46 </form>
  47 EOT
  48 }
  49
  50 my $y0 = $cgi->param('y0') || '';
  51 if ($cgi->param('name') && $y0 && $cgi->request_method eq 'POST') {
  52         # submitted, let's see
  53         # FIXME: racy, do a lock
  54         my $name = $gcgi->wparam('name');
  55         Girocco::User::does_exist($name, 1)
  56                 or $gcgi->err("Username is not registered.");
  57
  58         $gcgi->err_check and exit;
  59
  60         my $user;
  61         ($user = Girocco::User->load($name)) && valid_email($user->{email})
  62                 or $gcgi->err("Username may not be removed.");
  63
  64         $gcgi->err_check and exit;
  65
  66         if (!$cgi->param('auth')) {
  67                 if ($y0 ne 'Send authorization code') {
  68                         print "<p>Invalid data. Go away, sorcerer.</p>\n";
  69                         exit;
  70                 }
  71
  72                 valid_email($user->{email}) or die "Sorry, this user cannot be removed.";
  73
  74                 my $auth = $user->gen_auth('DEL');
  75
  76                 # Send auth mail
  77                 defined(my $MAIL = mailer_pipe '-s', "[$Girocco::Config::name] Account removal authorization", $user->{email}) or
  78                         die "Sorry, could not send authorization code: $!";
  79                 print $MAIL <<EOT;
  80 Hello,
  81
  82 You have requested an authorization code be sent to you for removing
  83 your account.  If you don't want to actually remove your account, just
  84 ignore this e-mail.  Otherwise, use this code within 24 hours:
  85
  86 $auth
  87
  88 Should you run into any problems, please let us know.
  89
  90 Have fun!
  91 EOT
  92                 close $MAIL;
  93
  94                 print "<p>You should shortly receive an e-mail containing an authorization code.
  95                         Please enter this code below to remove your account.
  96                         The code will expire in 24 hours or after you have used it.</p>";
  97                 _auth_form($name, "'Login'");
  98                 exit;
  99         } else {
 100                 if ($y0 ne "'Login'" && $y0 ne "Remove user account") {
 101                         print "<p>Invalid data. Go away, sorcerer.</p>\n";
 102                         exit;
 103                 }
 104
 105                 $user->{auth} && $user->{authtype} eq 'DEL' or do {
 106                         print "<p>There currently isn't any authorization code filed under your account.  ".
 107                                 "Please <a href=\"@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi\">generate one</a>.</p>";
 108                         exit;
 109                 };
 110
 111                 my $auth = $gcgi->wparam('auth');
 112                 if ($auth ne $user->{auth}) {
 113                         print "<p>Invalid authorization code, please re-enter or ".
 114                                 "<a href=\"@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi\">generate a new one</a>.</p>";
 115                         _auth_form($name, "'Login'");
 116                         exit;
 117                 }
 118
 119                 my $conf = $gcgi->wparam('confirm') || '';
 120                 if ($y0 ne 'Remove user account' || $conf ne $user->{name}) {
 121                         my $blurb1 = '.';
 122                         my $projectsinfo = '';
 123                         my @projects = $user->get_projects;
 124                         if (@projects) {
 125                                 $projectsinfo = projects_html_list({target=>"_blank", sizecol=>1, typecol=>1, changed=>1}, @projects);
 126                                 $blurb1 = ' and from the following projects:' if $projectsinfo;
 127                         }
 128                         my $ownedinfo = '';
 129                         my @ownedprojects = filedb_grep($Girocco::Config::projlist_cache_dir.'/gitproj.list',
 130                                 sub {
 131                                         chomp;
 132                                         my ($proj, $hash, $owner) = split(/ /, $_, 3);
 133                                         if ($owner eq $user->{email}) {
 134                                                 $proj;
 135                                         }
 136                                 }
 137                         );
 138                         if (@ownedprojects) {
 139                                 $ownedinfo = <<EOT;
 140 <p>The following project(s) are owned by the same email address as user account '$user->{name}'
 141 and <b>will NOT be removed</b>.  If desired, they can be removed from their project admin
 142 page(s) (the "edit" link on the project page).</p>
 143 EOT
 144                                 $ownedinfo .= projects_html_list(
 145                                         {target=>"_blank", sizecol=>1, typecol=>1, changed=>1}, @ownedprojects);
 146                         }
 147                         print <<EOT;
 148 <p>Please confirm that you are going to remove user account '$user->{name}'
 149 from the site$blurb1</p>$projectsinfo$ownedinfo
 150 <form method="post" action="@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi">
 151 <input type="hidden" name="name" value="$name" />
 152 <input type="hidden" name="auth" value="$auth" />
 153 <input type="hidden" name="confirm" value="$name" />
 154 <p><input type="submit" name="y0" value="Remove user account" /></p>
 155 </form>
 156 EOT
 157                         exit;
 158                 }
 159
 160                 $user->remove;
 161                 print "<p>User account successfully removed. Have a nice day.</p>\n";
 162                 exit;
 163         }
 164 }
 165
 166 print <<EOT;
 167 <p>Here you can request an authorization code to remove your user account.</p>
 168
 169 <p>Please enter your username below;
 170 we will send you an email with an authorization code
 171 and further instructions.</p>
 172
 173 <form method="post" action="@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi">
 174 <table class="form">
 175 <tr><td class="formlabel">Login:</td><td><input type="text" name="name" /></td></tr>
 176 <tr style="display:none"><td class="formlabel">Anti-captcha (leave empty!):</td><td><input type="text" name="mail" /></td></tr>
 177 <tr><td class="formlabel"></td><td><input type="submit" name="y0" value="Send authorization code" /></td></tr>
 178 </table>
 179 </form>
 180 EOT