From cdaa60b56bb285b3458a3f0054bcaffd23f300de Mon Sep 17 00:00:00 2001
From: Kane York <kanepyork@gmail.com>
Date: Wed, 1 Apr 2020 13:10:17 -0700
Subject: [PATCH] FEATURE: Allow admins to disable self-service account
 deletion

https://meta.discourse.org/t/-/146276
---
 app/models/user.rb                            |  2 +-
 config/locales/server.en.yml                  |  1 +
 config/site_settings.yml                      |  3 +++
 lib/guardian/user_guardian.rb                 |  2 +-
 .../components/guardian/user_guardian_spec.rb | 24 +++++++++++++++++++
 5 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 4ae0f86cc08..562291438f0 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -233,7 +233,6 @@ class User < ActiveRecord::Base
     LAST_VISIT = -2
   end
 
-  MAX_SELF_DELETE_POST_COUNT ||= 1
   MAX_STAFF_DELETE_POST_COUNT ||= 5
 
   def self.max_password_length
@@ -1286,6 +1285,7 @@ class User < ActiveRecord::Base
 
   def has_more_posts_than?(max_post_count)
     return true if user_stat && (user_stat.topic_count + user_stat.post_count) > max_post_count
+    return true if max_post_count < 0
 
     DB.query_single(<<~SQL, user_id: self.id).first > max_post_count
       SELECT COUNT(1)
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index e3b8271e5df..410f545eba1 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -1952,6 +1952,7 @@ en:
     relative_date_duration: "Number of days after posting where post dates will be shown as relative (7d) instead of absolute (20 Feb)."
     delete_user_max_post_age: "Don't allow deleting users whose first post is older than (x) days."
     delete_all_posts_max: "The maximum number of posts that can be deleted at once with the Delete All Posts button. If a user has more than this many posts, the posts cannot all be deleted at once and the user can't be deleted."
+    delete_user_self_max_post_count: "The maximum number of posts a user can have while allowing self-service account deletion. Set to -1 to disable self-service account deletion."
     username_change_period: "The maximum number of days after registration that accounts can change their username (0 to disallow username change)."
     email_editable: "Allow users to change their e-mail address after registration."
     logout_redirect: "Location to redirect browser to after logout (eg: https://example.com/logout)"
diff --git a/config/site_settings.yml b/config/site_settings.yml
index 33501a4df46..018d7390ccd 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -542,6 +542,9 @@ users:
     client: true
     default: 15
     min: 1
+  delete_user_self_max_post_count:
+    default: 1
+    min: -1
   redirect_users_to_top_page: true
   prioritize_username_in_ux:
     client: true
diff --git a/lib/guardian/user_guardian.rb b/lib/guardian/user_guardian.rb
index 26e726437b9..ecdff65838d 100644
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@@ -62,7 +62,7 @@ module UserGuardian
     return false if user.nil? || user.admin?
     if is_me?(user)
       !SiteSetting.enable_sso &&
-      !user.has_more_posts_than?(User::MAX_SELF_DELETE_POST_COUNT)
+      !user.has_more_posts_than?(SiteSetting.delete_user_self_max_post_count)
     else
       is_staff? && (
         user.first_post_created_at.nil? ||
diff --git a/spec/components/guardian/user_guardian_spec.rb b/spec/components/guardian/user_guardian_spec.rb
index 12fbdd02a21..e8708435494 100644
--- a/spec/components/guardian/user_guardian_spec.rb
+++ b/spec/components/guardian/user_guardian_spec.rb
@@ -303,6 +303,30 @@ describe UserGuardian do
         Fabricate(:post, user: user, topic: topic)
         expect(guardian.can_delete_user?(user)).to eq(false)
       end
+
+      it "isn't allowed when site admin blocked self deletion" do
+        expect(user.first_post_created_at).to be_nil
+
+        SiteSetting.delete_user_self_max_post_count = -1
+        expect(guardian.can_delete_user?(user)).to eq(false)
+      end
+
+      it "correctly respects the delete_user_self_max_post_count setting" do
+        SiteSetting.delete_user_self_max_post_count = 0
+        expect(guardian.can_delete_user?(user)).to eq(true)
+
+        Fabricate(:post, user: user)
+
+        expect(guardian.can_delete_user?(user)).to eq(false)
+        SiteSetting.delete_user_self_max_post_count = 1
+        expect(guardian.can_delete_user?(user)).to eq(true)
+
+        Fabricate(:post, user: user)
+
+        expect(guardian.can_delete_user?(user)).to eq(false)
+        SiteSetting.delete_user_self_max_post_count = 2
+        expect(guardian.can_delete_user?(user)).to eq(true)
+      end
     end
 
     context "for moderators" do