git-shell-verify: only check read-only mode for receive-pack
[girocco.git] / cgi / deluser.cgi
blobac78d2833542b8e0f62bc24caf6451095ab38f44
1 #!/usr/bin/perl
3 # deluser.cgi -- support for user deletion via web
4 # Copyright (c) 2013 Kyle J. McKay. All rights reserved.
5 # Portions (c) Petr Baudis <pasky@suse.cz> and (c) Jan Krueger <jk@jk.gs>
6 # License GPLv2+: GNU GPL version 2 or later.
7 # www.gnu.org/licenses/gpl-2.0.html
8 # This is free software: you are free to change and redistribute it.
9 # There is NO WARRANTY, to the extent permitted by law.
11 use strict;
12 use warnings;
14 use lib "__BASEDIR__";
15 use Girocco::CGI;
16 use Girocco::Config;
17 use Girocco::User;
18 use Girocco::Util;
19 binmode STDOUT, ':utf8';
21 my $gcgi = Girocco::CGI->new('User Removal');
22 my $cgi = $gcgi->cgi;
24 unless ($Girocco::Config::manage_users) {
25 print "<p>I don't manage users.</p>";
26 exit;
29 if ($cgi->param('mail')) {
30 print "<p>Go away, bot.</p>";
31 exit;
34 if (my $romsg=check_readonly(1)) {
35 print "<p>$romsg</p>\n";
36 exit;
39 sub _auth_form {
40 my ($name, $submit) = @_;
41 print <<EOT;
42 <form method="post" action="@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi">
43 <input type="hidden" name="name" value="$name" />
44 <p>Authorization code: <input name="auth" size="50" /></p>
45 <p><input type="submit" name="y0" value="$submit" /></p>
46 </form>
47 EOT
50 my $y0 = $cgi->param('y0') || '';
51 if ($cgi->param('name') && $y0 && $cgi->request_method eq 'POST') {
52 # submitted, let's see
53 # FIXME: racy, do a lock
54 my $name = $gcgi->wparam('name');
55 Girocco::User::does_exist($name, 1)
56 or $gcgi->err("Username is not registered.");
58 $gcgi->err_check and exit;
60 my $user;
61 ($user = Girocco::User->load($name)) && valid_email($user->{email})
62 or $gcgi->err("Username may not be removed.");
64 $gcgi->err_check and exit;
66 if (!$cgi->param('auth')) {
67 if ($y0 ne 'Send authorization code') {
68 print "<p>Invalid data. Go away, sorcerer.</p>\n";
69 exit;
72 valid_email($user->{email}) or die "Sorry, this user cannot be removed.";
74 my $auth = $user->gen_auth('DEL');
76 # Send auth mail
77 defined(my $MAIL = mailer_pipe '-s', "[$Girocco::Config::name] Account removal authorization", $user->{email}) or
78 die "Sorry, could not send authorization code: $!";
79 print $MAIL <<EOT;
80 Hello,
82 You have requested an authorization code be sent to you for removing
83 your account. If you don't want to actually remove your account, just
84 ignore this e-mail. Otherwise, use this code within 24 hours:
86 $auth
88 Should you run into any problems, please let us know.
90 Have fun!
91 EOT
92 close $MAIL;
94 print "<p>You should shortly receive an e-mail containing an authorization code.
95 Please enter this code below to remove your account.
96 The code will expire in 24 hours or after you have used it.</p>";
97 _auth_form($name, "'Login'");
98 exit;
99 } else {
100 if ($y0 ne "'Login'" && $y0 ne "Remove user account") {
101 print "<p>Invalid data. Go away, sorcerer.</p>\n";
102 exit;
105 $user->{auth} && $user->{authtype} eq 'DEL' or do {
106 print "<p>There currently isn't any authorization code filed under your account. ".
107 "Please <a href=\"@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi\">generate one</a>.</p>";
108 exit;
111 my $auth = $gcgi->wparam('auth');
112 if ($auth ne $user->{auth}) {
113 print "<p>Invalid authorization code, please re-enter or ".
114 "<a href=\"@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi\">generate a new one</a>.</p>";
115 _auth_form($name, "'Login'");
116 exit;
119 my $conf = $gcgi->wparam('confirm') || '';
120 if ($y0 ne 'Remove user account' || $conf ne $user->{name}) {
121 my $blurb1 = '.';
122 my $projectsinfo = '';
123 my @projects = $user->get_projects;
124 if (@projects) {
125 $projectsinfo = projects_html_list({target=>"_blank", sizecol=>1, typecol=>1, changed=>1}, @projects);
126 $blurb1 = ' and from the following projects:' if $projectsinfo;
128 my $ownedinfo = '';
129 my @ownedprojects = filedb_grep($Girocco::Config::projlist_cache_dir.'/gitproj.list',
130 sub {
131 chomp;
132 my ($proj, $hash, $owner) = split(/ /, $_, 3);
133 if ($owner eq $user->{email}) {
134 $proj;
138 if (@ownedprojects) {
139 $ownedinfo = <<EOT;
140 <p>The following project(s) are owned by the same email address as user account '$user->{name}'
141 and <b>will NOT be removed</b>. If desired, they can be removed from their project admin
142 page(s) (the "edit" link on the project page).</p>
144 $ownedinfo .= projects_html_list(
145 {target=>"_blank", sizecol=>1, typecol=>1, changed=>1}, @ownedprojects);
147 print <<EOT;
148 <p>Please confirm that you are going to remove user account '$user->{name}'
149 from the site$blurb1</p>$projectsinfo$ownedinfo
150 <form method="post" action="@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi">
151 <input type="hidden" name="name" value="$name" />
152 <input type="hidden" name="auth" value="$auth" />
153 <input type="hidden" name="confirm" value="$name" />
154 <p><input type="submit" name="y0" value="Remove user account" /></p>
155 </form>
157 exit;
160 $user->remove;
161 print "<p>User account successfully removed. Have a nice day.</p>\n";
162 exit;
166 print <<EOT;
167 <p>Here you can request an authorization code to remove your user account.</p>
169 <p>Please enter your username below;
170 we will send you an email with an authorization code
171 and further instructions.</p>
173 <form method="post" action="@{[url_path($Girocco::Config::webadmurl)]}/deluser.cgi">
174 <table class="form">
175 <tr><td class="formlabel">Login:</td><td><input type="text" name="name" /></td></tr>
176 <tr style="display:none"><td class="formlabel">Anti-captcha (leave empty!):</td><td><input type="text" name="mail" /></td></tr>
177 <tr><td class="formlabel"></td><td><input type="submit" name="y0" value="Send authorization code" /></td></tr>
178 </table>
179 </form>