Commit a0da03d9 authored by Douwe Maan's avatar Douwe Maan

Merge branch '12726-preserve-issues-after-deleting-users' into 'master'

Deleting a user shouldn't delete associated issues.

Closes #12726

See merge request !7393
parents faaca5e1 53aa0437
class Uniquify
# Return a version of the given 'base' string that is unique
# by appending a counter to it. Uniqueness is determined by
# repeated calls to the passed block.
#
# If `base` is a function/proc, we expect that calling it with a
# candidate counter returns a string to test/return.
def string(base)
@base = base
@counter = nil
increment_counter! while yield(base_string)
base_string
end
private
def base_string
if @base.respond_to?(:call)
@base.call(@counter)
else
"#{@base}#{@counter}"
end
end
def increment_counter!
@counter ||= 0
@counter += 1
end
end
...@@ -98,14 +98,8 @@ class Namespace < ActiveRecord::Base ...@@ -98,14 +98,8 @@ class Namespace < ActiveRecord::Base
# Work around that by setting their username to "blank", followed by a counter. # Work around that by setting their username to "blank", followed by a counter.
path = "blank" if path.blank? path = "blank" if path.blank?
counter = 0 uniquify = Uniquify.new
base = path uniquify.string(path) { |s| Namespace.find_by_path_or_name(s) }
while Namespace.find_by_path_or_name(path)
counter += 1
path = "#{base}#{counter}"
end
path
end end
end end
......
...@@ -81,7 +81,6 @@ class User < ActiveRecord::Base ...@@ -81,7 +81,6 @@ class User < ActiveRecord::Base
has_many :authorized_projects, through: :project_authorizations, source: :project has_many :authorized_projects, through: :project_authorizations, source: :project
has_many :snippets, dependent: :destroy, foreign_key: :author_id has_many :snippets, dependent: :destroy, foreign_key: :author_id
has_many :issues, dependent: :destroy, foreign_key: :author_id
has_many :notes, dependent: :destroy, foreign_key: :author_id has_many :notes, dependent: :destroy, foreign_key: :author_id
has_many :merge_requests, dependent: :destroy, foreign_key: :author_id has_many :merge_requests, dependent: :destroy, foreign_key: :author_id
has_many :events, dependent: :destroy, foreign_key: :author_id has_many :events, dependent: :destroy, foreign_key: :author_id
...@@ -99,6 +98,11 @@ class User < ActiveRecord::Base ...@@ -99,6 +98,11 @@ class User < ActiveRecord::Base
has_many :assigned_issues, dependent: :nullify, foreign_key: :assignee_id, class_name: "Issue" has_many :assigned_issues, dependent: :nullify, foreign_key: :assignee_id, class_name: "Issue"
has_many :assigned_merge_requests, dependent: :nullify, foreign_key: :assignee_id, class_name: "MergeRequest" has_many :assigned_merge_requests, dependent: :nullify, foreign_key: :assignee_id, class_name: "MergeRequest"
# Issues that a user owns are expected to be moved to the "ghost" user before
# the user is destroyed. If the user owns any issues during deletion, this
# should be treated as an exceptional condition.
has_many :issues, dependent: :restrict_with_exception, foreign_key: :author_id
# #
# Validations # Validations
# #
...@@ -120,6 +124,7 @@ class User < ActiveRecord::Base ...@@ -120,6 +124,7 @@ class User < ActiveRecord::Base
validate :unique_email, if: ->(user) { user.email_changed? } validate :unique_email, if: ->(user) { user.email_changed? }
validate :owns_notification_email, if: ->(user) { user.notification_email_changed? } validate :owns_notification_email, if: ->(user) { user.notification_email_changed? }
validate :owns_public_email, if: ->(user) { user.public_email_changed? } validate :owns_public_email, if: ->(user) { user.public_email_changed? }
validate :ghost_users_must_be_blocked
validates :avatar, file_size: { maximum: 200.kilobytes.to_i } validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
before_validation :generate_password, on: :create before_validation :generate_password, on: :create
...@@ -337,6 +342,12 @@ class User < ActiveRecord::Base ...@@ -337,6 +342,12 @@ class User < ActiveRecord::Base
(?<user>#{Gitlab::Regex::FULL_NAMESPACE_REGEX_STR}) (?<user>#{Gitlab::Regex::FULL_NAMESPACE_REGEX_STR})
}x }x
end end
# Return (create if necessary) the ghost user. The ghost user
# owns records previously belonging to deleted users.
def ghost
User.find_by_ghost(true) || create_ghost_user
end
end end
# #
...@@ -435,6 +446,12 @@ class User < ActiveRecord::Base ...@@ -435,6 +446,12 @@ class User < ActiveRecord::Base
errors.add(:public_email, "is not an email you own") unless all_emails.include?(public_email) errors.add(:public_email, "is not an email you own") unless all_emails.include?(public_email)
end end
def ghost_users_must_be_blocked
if ghost? && !blocked?
errors.add(:ghost, 'cannot be enabled for a user who is not blocked.')
end
end
def update_emails_with_primary_email def update_emails_with_primary_email
primary_email_record = emails.find_by(email: email) primary_email_record = emails.find_by(email: email)
if primary_email_record if primary_email_record
...@@ -999,4 +1016,40 @@ class User < ActiveRecord::Base ...@@ -999,4 +1016,40 @@ class User < ActiveRecord::Base
super super
end end
end end
def self.create_ghost_user
# Since we only want a single ghost user in an instance, we use an
# exclusive lease to ensure than this block is never run concurrently.
lease_key = "ghost_user_creation"
lease = Gitlab::ExclusiveLease.new(lease_key, timeout: 1.minute.to_i)
until uuid = lease.try_obtain
# Keep trying until we obtain the lease. To prevent hammering Redis too
# much we'll wait for a bit between retries.
sleep(1)
end
# Recheck if a ghost user is already present. One might have been
# added between the time we last checked (first line of this method)
# and the time we acquired the lock.
ghost_user = User.find_by_ghost(true)
return ghost_user if ghost_user.present?
uniquify = Uniquify.new
username = uniquify.string("ghost") { |s| User.find_by_username(s) }
email = uniquify.string(-> (n) { "ghost#{n}@example.com" }) do |s|
User.find_by_email(s)
end
bio = 'This is a "Ghost User", created to hold all issues authored by users that have since been deleted. This user cannot be removed.'
User.create(
username: username, password: Devise.friendly_token, bio: bio,
email: email, name: "Ghost User", state: :blocked, ghost: true
)
ensure
Gitlab::ExclusiveLease.cancel(lease_key, uuid)
end
end end
...@@ -3,6 +3,14 @@ class UserPolicy < BasePolicy ...@@ -3,6 +3,14 @@ class UserPolicy < BasePolicy
def rules def rules
can! :read_user if @user || !restricted_public_level? can! :read_user if @user || !restricted_public_level?
if @user
if @user.admin? || @subject == @user
can! :destroy_user
end
cannot! :destroy_user if @subject.ghost?
end
end end
def restricted_public_level? def restricted_public_level?
......
...@@ -7,7 +7,7 @@ module Users ...@@ -7,7 +7,7 @@ module Users
end end
def execute(user, options = {}) def execute(user, options = {})
unless current_user.admin? || current_user == user unless Ability.allowed?(current_user, :destroy_user, user)
raise Gitlab::Access::AccessDeniedError, "#{current_user} tried to destroy user #{user}!" raise Gitlab::Access::AccessDeniedError, "#{current_user} tried to destroy user #{user}!"
end end
...@@ -26,6 +26,8 @@ module Users ...@@ -26,6 +26,8 @@ module Users
::Projects::DestroyService.new(project, current_user, skip_repo: true).async_execute ::Projects::DestroyService.new(project, current_user, skip_repo: true).async_execute
end end
move_issues_to_ghost_user(user)
# Destroy the namespace after destroying the user since certain methods may depend on the namespace existing # Destroy the namespace after destroying the user since certain methods may depend on the namespace existing
namespace = user.namespace namespace = user.namespace
user_data = user.destroy user_data = user.destroy
...@@ -33,5 +35,22 @@ module Users ...@@ -33,5 +35,22 @@ module Users
user_data user_data
end end
private
def move_issues_to_ghost_user(user)
# Block the user before moving issues to prevent a data race.
# If the user creates an issue after `move_issues_to_ghost_user`
# runs and before the user is destroyed, the destroy will fail with
# an exception. We block the user so that issues can't be created
# after `move_issues_to_ghost_user` runs and before the destroy happens.
user.block
ghost_user = User.ghost
user.issues.update_all(author_id: ghost_user.id)
user.reload
end
end end
end end
...@@ -34,7 +34,7 @@ ...@@ -34,7 +34,7 @@
- if user.access_locked? - if user.access_locked?
%li %li
= link_to 'Unlock', unlock_admin_user_path(user), method: :put, class: 'btn-grouped btn btn-xs btn-success', data: { confirm: 'Are you sure?' } = link_to 'Unlock', unlock_admin_user_path(user), method: :put, class: 'btn-grouped btn btn-xs btn-success', data: { confirm: 'Are you sure?' }
- if user.can_be_removed? - if user.can_be_removed? && can?(current_user, :destroy_user, @user)
%li.divider %li.divider
%li %li
= link_to 'Delete User', [:admin, user], data: { confirm: "USER #{user.name} WILL BE REMOVED! All issues, merge requests and groups linked to this user will also be removed! Consider cancelling this deletion and blocking the user instead. Are you sure?" }, = link_to 'Delete User', [:admin, user], data: { confirm: "USER #{user.name} WILL BE REMOVED! All issues, merge requests and groups linked to this user will also be removed! Consider cancelling this deletion and blocking the user instead. Are you sure?" },
......
...@@ -173,7 +173,7 @@ ...@@ -173,7 +173,7 @@
.panel-heading .panel-heading
Remove user Remove user
.panel-body .panel-body
- if @user.can_be_removed? - if @user.can_be_removed? && can?(current_user, :destroy_user, @user)
%p Deleting a user has the following effects: %p Deleting a user has the following effects:
%ul %ul
%li All user content like authored issues, snippets, comments will be removed %li All user content like authored issues, snippets, comments will be removed
...@@ -189,3 +189,6 @@ ...@@ -189,3 +189,6 @@
%strong= @user.solo_owned_groups.map(&:name).join(', ') %strong= @user.solo_owned_groups.map(&:name).join(', ')
%p %p
You must transfer ownership or delete these groups before you can delete this user. You must transfer ownership or delete these groups before you can delete this user.
- else
%p
You don't have access to delete this user.
...@@ -115,7 +115,7 @@ ...@@ -115,7 +115,7 @@
%h4.prepend-top-0.danger-title %h4.prepend-top-0.danger-title
Remove account Remove account
.col-lg-9 .col-lg-9
- if @user.can_be_removed? - if @user.can_be_removed? && can?(current_user, :destroy_user, @user)
%p %p
Deleting an account has the following effects: Deleting an account has the following effects:
%ul %ul
...@@ -131,4 +131,7 @@ ...@@ -131,4 +131,7 @@
%strong= @user.solo_owned_groups.map(&:name).join(', ') %strong= @user.solo_owned_groups.map(&:name).join(', ')
%p %p
You must transfer ownership or delete these groups before you can delete your account. You must transfer ownership or delete these groups before you can delete your account.
- else
%p
You don't have access to delete this user.
.append-bottom-default .append-bottom-default
---
title: Deleting a user doesn't delete issues they've created/are assigned to
merge_request: 7393
author:
class AddColumnGhostToUsers < ActiveRecord::Migration
DOWNTIME = false
def up
add_column :users, :ghost, :boolean
end
def down
remove_column :users, :ghost
end
end
...@@ -1278,10 +1278,11 @@ ActiveRecord::Schema.define(version: 20170216141440) do ...@@ -1278,10 +1278,11 @@ ActiveRecord::Schema.define(version: 20170216141440) do
t.datetime "otp_grace_period_started_at" t.datetime "otp_grace_period_started_at"
t.boolean "ldap_email", default: false, null: false t.boolean "ldap_email", default: false, null: false
t.boolean "external", default: false t.boolean "external", default: false
t.string "organization"
t.string "incoming_email_token" t.string "incoming_email_token"
t.string "organization"
t.boolean "authorized_projects_populated" t.boolean "authorized_projects_populated"
t.boolean "notified_of_own_activity", default: false, null: false t.boolean "notified_of_own_activity", default: false, null: false
t.boolean "ghost"
end end
add_index "users", ["admin"], name: "index_users_on_admin", using: :btree add_index "users", ["admin"], name: "index_users_on_admin", using: :btree
......
...@@ -26,6 +26,11 @@ FactoryGirl.define do ...@@ -26,6 +26,11 @@ FactoryGirl.define do
two_factor_via_otp two_factor_via_otp
end end
trait :ghost do
ghost true
after(:build) { |user, _| user.block! }
end
trait :two_factor_via_otp do trait :two_factor_via_otp do
before(:create) do |user| before(:create) do |user|
user.otp_required_for_login = true user.otp_required_for_login = true
......
...@@ -4,7 +4,7 @@ describe 'Profile account page', feature: true do ...@@ -4,7 +4,7 @@ describe 'Profile account page', feature: true do
let(:user) { create(:user) } let(:user) { create(:user) }
before do before do
login_as :user login_as(user)
end end
describe 'when signup is enabled' do describe 'when signup is enabled' do
...@@ -16,7 +16,7 @@ describe 'Profile account page', feature: true do ...@@ -16,7 +16,7 @@ describe 'Profile account page', feature: true do
it { expect(page).to have_content('Remove account') } it { expect(page).to have_content('Remove account') }
it 'deletes the account' do it 'deletes the account' do
expect { click_link 'Delete account' }.to change { User.count }.by(-1) expect { click_link 'Delete account' }.to change { User.where(id: user.id).count }.by(-1)
expect(current_path).to eq(new_user_session_path) expect(current_path).to eq(new_user_session_path)
end end
end end
......
...@@ -2,7 +2,7 @@ require 'rails_helper' ...@@ -2,7 +2,7 @@ require 'rails_helper'
RSpec.describe AbuseReport, type: :model do RSpec.describe AbuseReport, type: :model do
subject { create(:abuse_report) } subject { create(:abuse_report) }
let(:user) { create(:user) } let(:user) { create(:admin) }
it { expect(subject).to be_valid } it { expect(subject).to be_valid }
......
require 'spec_helper'
describe Uniquify, models: true do
let(:uniquify) { described_class.new }
describe "#string" do
it 'returns the given string if it does not exist' do
result = uniquify.string('test_string') { |s| false }
expect(result).to eq('test_string')
end
it 'returns the given string with a counter attached if the string exists' do
result = uniquify.string('test_string') { |s| s == 'test_string' }
expect(result).to eq('test_string1')
end
it 'increments the counter for each candidate string that also exists' do
result = uniquify.string('test_string') { |s| s == 'test_string' || s == 'test_string1' }
expect(result).to eq('test_string2')
end
it 'allows passing in a base function that defines the location of the counter' do
result = uniquify.string(-> (counter) { "test_#{counter}_string" }) do |s|
s == 'test__string'
end
expect(result).to eq('test_1_string')
end
end
end
...@@ -22,7 +22,7 @@ describe User, models: true do ...@@ -22,7 +22,7 @@ describe User, models: true do
it { is_expected.to have_many(:deploy_keys).dependent(:destroy) } it { is_expected.to have_many(:deploy_keys).dependent(:destroy) }
it { is_expected.to have_many(:events).dependent(:destroy) } it { is_expected.to have_many(:events).dependent(:destroy) }
it { is_expected.to have_many(:recent_events).class_name('Event') } it { is_expected.to have_many(:recent_events).class_name('Event') }
it { is_expected.to have_many(:issues).dependent(:destroy) } it { is_expected.to have_many(:issues).dependent(:restrict_with_exception) }
it { is_expected.to have_many(:notes).dependent(:destroy) } it { is_expected.to have_many(:notes).dependent(:destroy) }
it { is_expected.to have_many(:assigned_issues).dependent(:nullify) } it { is_expected.to have_many(:assigned_issues).dependent(:nullify) }
it { is_expected.to have_many(:merge_requests).dependent(:destroy) } it { is_expected.to have_many(:merge_requests).dependent(:destroy) }
...@@ -208,6 +208,22 @@ describe User, models: true do ...@@ -208,6 +208,22 @@ describe User, models: true do
end end
end end
end end
describe 'ghost users' do
it 'does not allow a non-blocked ghost user' do
user = build(:user, :ghost)
user.state = 'active'
expect(user).to be_invalid
end
it 'allows a blocked ghost user' do
user = build(:user, :ghost)
user.state = 'blocked'
expect(user).to be_valid
end
end
end end
describe "scopes" do describe "scopes" do
...@@ -1490,4 +1506,41 @@ describe User, models: true do ...@@ -1490,4 +1506,41 @@ describe User, models: true do
expect(user.admin).to be true expect(user.admin).to be true
end end
end end
describe '.ghost' do
it "creates a ghost user if one isn't already present" do
ghost = User.ghost
expect(ghost).to be_ghost
expect(ghost).to be_persisted
end
it "does not create a second ghost user if one is already present" do
expect do
User.ghost
User.ghost
end.to change { User.count }.by(1)
expect(User.ghost).to eq(User.ghost)
end
context "when a regular user exists with the username 'ghost'" do
it "creates a ghost user with a non-conflicting username" do
create(:user, username: 'ghost')
ghost = User.ghost
expect(ghost).to be_persisted
expect(ghost.username).to eq('ghost1')
end
end
context "when a regular user exists with the email 'ghost@example.com'" do
it "creates a ghost user with a non-conflicting email" do
create(:user, email: 'ghost@example.com')
ghost = User.ghost
expect(ghost).to be_persisted
expect(ghost.email).to eq('ghost1@example.com')
end
end
end
end end
require 'spec_helper'
describe UserPolicy, models: true do
let(:current_user) { create(:user) }
let(:user) { create(:user) }
subject { described_class.abilities(current_user, user).to_set }
describe "reading a user's information" do
it { is_expected.to include(:read_user) }
end
describe "destroying a user" do
context "when a regular user tries to destroy another regular user" do
it { is_expected.not_to include(:destroy_user) }
end
context "when a regular user tries to destroy themselves" do
let(:current_user) { user }
it { is_expected.to include(:destroy_user) }
end
context "when an admin user tries to destroy a regular user" do
let(:current_user) { create(:user, :admin) }
it { is_expected.to include(:destroy_user) }
end
context "when an admin user tries to destroy a ghost user" do
let(:current_user) { create(:user, :admin) }
let(:user) { create(:user, :ghost) }
it { is_expected.not_to include(:destroy_user) }
end
end
end
...@@ -24,6 +24,54 @@ describe Users::DestroyService, services: true do ...@@ -24,6 +24,54 @@ describe Users::DestroyService, services: true do
end end
end end
context "a deleted user's issues" do
let(:project) { create :project }
before do
project.add_developer(user)
end
context "for an issue the user has created" do
let!(:issue) { create(:issue, project: project, author: user) }
before do
service.execute(user)
end
it 'does not delete the issue' do
expect(Issue.find_by_id(issue.id)).to be_present
end
it 'migrates the issue so that the "Ghost User" is the issue owner' do
migrated_issue = Issue.find_by_id(issue.id)
expect(migrated_issue.author).to eq(User.ghost)
end
it 'blocks the user before migrating issues to the "Ghost User' do
expect(user).to be_blocked
end
end
context "for an issue the user was assigned to" do
let!(:issue) { create(:issue, project: project, assignee: user) }
before do
service.execute(user)
end
it 'does not delete issues the user is assigned to' do
expect(Issue.find_by_id(issue.id)).to be_present
end
it 'migrates the issue so that it is "Unassigned"' do
migrated_issue = Issue.find_by_id(issue.id)
expect(migrated_issue.assignee).to be_nil
end
end
end
context "solo owned groups present" do context "solo owned groups present" do
let(:solo_owned) { create(:group) } let(:solo_owned) { create(:group) }
let(:member) { create(:group_member) } let(:member) { create(:group_member) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment