From 18240670cfb1e643d2a08f9c647962b4de6c6e0e Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Wed, 23 Sep 2020 10:19:56 +0000
Subject: [PATCH] Let users self-delete their account, provided they dont hold
 any staff positions closes #240

---
 controllers/forms.js               |  2 ++
 controllers/forms/deleteaccount.js | 37 ++++++++++++++++++++++++++++++
 db/accounts.js                     |  8 +++++++
 models/forms/deleteaccount.js      | 10 ++++++++
 views/pages/account.pug            | 13 ++++++++++-
 5 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 controllers/forms/deleteaccount.js
 create mode 100644 models/forms/deleteaccount.js

diff --git a/controllers/forms.js b/controllers/forms.js
index 1307387b..46077c47 100644
--- a/controllers/forms.js
+++ b/controllers/forms.js
@@ -34,6 +34,7 @@ const express  = require('express')
 	, boardSettingsController = require(__dirname+'/forms/boardsettings.js')
 	, transferController = require(__dirname+'/forms/transfer.js')
 	, resignController = require(__dirname+'/forms/resign.js')
+	, deleteAccountController = require(__dirname+'/forms/deleteaccount.js')
 	, loginController = require(__dirname+'/forms/login.js')
 	, registerController = require(__dirname+'/forms/register.js')
 	, changePasswordController = require(__dirname+'/forms/changepassword.js')
@@ -88,6 +89,7 @@ router.post('/logout', useSession, logout);
 router.post('/register', geoAndTor, torPreBypassCheck, processIp, useSession, sessionRefresh, verifyCaptcha, calcPerms, registerController);
 router.post('/changepassword', geoAndTor, torPreBypassCheck, processIp, useSession, sessionRefresh, verifyCaptcha, changePasswordController);
 router.post('/resign', useSession, sessionRefresh, csrf, calcPerms, isLoggedIn, hasPerms(3), paramConverter, resignController);
+router.post('/deleteaccount', useSession, sessionRefresh, csrf, calcPerms, isLoggedIn, paramConverter, deleteAccountController);
 
 //removes captcha cookie, for refreshing for noscript users
 router.post('/newcaptcha', newCaptcha);
diff --git a/controllers/forms/deleteaccount.js b/controllers/forms/deleteaccount.js
new file mode 100644
index 00000000..a41fe029
--- /dev/null
+++ b/controllers/forms/deleteaccount.js
@@ -0,0 +1,37 @@
+'use strict';
+
+const deleteAccount = require(__dirname+'/../../models/forms/deleteaccount.js')
+	, dynamicResponse = require(__dirname+'/../../helpers/dynamic.js')
+
+module.exports = async (req, res, next) => {
+
+	if (!req.body.confirm) {
+		return dynamicResponse(req, res, 400, 'message', {
+			'title': 'Bad request',
+			'error': 'Missing confirmation',
+			'redirect': '/account.html'
+		});
+	}
+
+	const { modBoards, ownedBoards } = res.locals.user;
+	if (ownedBoards.length > 0 || modBoards.length > 0) {
+		return dynamicResponse(req, res, 400, 'message', {
+			'title': 'Bad request',
+			'message': 'You cannot delete your account while you hold staff position on any board',
+			'redirect': `/account.html`
+		});
+	}
+
+	try {
+		await deleteAccount(res.locals.user.username);
+	} catch (err) {
+		return next(err);
+	}
+
+	return dynamicResponse(req, res, 200, 'message', {
+		'title': 'Success',
+		'message': 'Board deleted',
+		'redirect': req.params.board ? '/' : '/globalmanage/settings.html'
+	});
+
+}
diff --git a/db/accounts.js b/db/accounts.js
index 6a7cabbc..91f87c95 100644
--- a/db/accounts.js
+++ b/db/accounts.js
@@ -78,6 +78,14 @@ module.exports = {
 		}).skip(skip).limit(limit).toArray();
 	},
 
+	deleteOne: async (username) => {
+		const res = await db.deleteOne({
+			'_id': username
+		});
+		cache.del(`users:${username}`);
+		return res;
+	},
+
 	deleteMany: async (usernames) => {
 		const res = await db.deleteMany({
 			'_id': {
diff --git a/models/forms/deleteaccount.js b/models/forms/deleteaccount.js
new file mode 100644
index 00000000..20d58ada
--- /dev/null
+++ b/models/forms/deleteaccount.js
@@ -0,0 +1,10 @@
+'use strict';
+
+const { Accounts } = require(__dirname+'/../../db/')
+
+module.exports = async (username) => {
+
+	//this definitely needs to be its own file (v:
+	await Accounts.deleteOne(username);
+
+}
diff --git a/views/pages/account.pug b/views/pages/account.pug
index 31fdf258..d76a5393 100644
--- a/views/pages/account.pug
+++ b/views/pages/account.pug
@@ -86,4 +86,15 @@ block content
 					label.postform-style.ph-5
 						input(type='checkbox', name='confirm', value='true' required)
 				input(type='submit', value='submit')
-		
+
+	hr(size=1)
+	h4.no-m-p Delete your account:
+	.form-wrapper.flexleft.mt-10
+		form.form-post(action=`/forms/deleteaccount`, enctype='application/x-www-form-urlencoded', method='POST')
+			input(type='hidden' name='_csrf' value=csrf)
+			.row
+				.label I'm sure
+				label.postform-style.ph-5
+					input(type='checkbox', name='confirm', value='true' required)
+			input(type='submit', value='submit')
+