From d3d77cee54e65c908b306ec7cd4c89302dafca94 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 22 Apr 2021 13:13:47 -0400
Subject: [PATCH] Make open account deletion configurable

This adds a configuration option to the [app] section: open_deletion. When
true, users can delete their account on their own.

Ref T319
---
 account.go                             | 4 ++++
 admin.go                               | 1 +
 config/config.go                       | 3 ++-
 templates/user/admin/app-settings.tmpl | 8 ++++++++
 templates/user/settings.tmpl           | 4 ++--
 5 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/account.go b/account.go
index 6369d47..cbd7cde 100644
--- a/account.go
+++ b/account.go
@@ -1156,6 +1156,10 @@ func getTempInfo(app *App, key string, r *http.Request, w http.ResponseWriter) s
 }
 
 func handleUserDelete(app *App, u *User, w http.ResponseWriter, r *http.Request) error {
+	if !app.cfg.App.OpenDeletion {
+		return impart.HTTPError{http.StatusForbidden, "Open account deletion is disabled on this instance."}
+	}
+
 	confirmUsername := r.PostFormValue("confirm-username")
 	if u.Username != confirmUsername {
 		return impart.HTTPError{http.StatusBadRequest, "Confirmation username must match your username exactly."}
diff --git a/admin.go b/admin.go
index 6a1a3b5..2b757ca 100644
--- a/admin.go
+++ b/admin.go
@@ -555,6 +555,7 @@ func handleAdminUpdateConfig(apper Apper, u *User, w http.ResponseWriter, r *htt
 	apper.App().cfg.App.SiteDesc = r.FormValue("site_desc")
 	apper.App().cfg.App.Landing = r.FormValue("landing")
 	apper.App().cfg.App.OpenRegistration = r.FormValue("open_registration") == "on"
+	apper.App().cfg.App.OpenDeletion = r.FormValue("open_deletion") == "on"
 	mul, err := strconv.Atoi(r.FormValue("min_username_len"))
 	if err == nil {
 		apper.App().cfg.App.MinUsernameLen = mul
diff --git a/config/config.go b/config/config.go
index 8ee03ba..c0e5255 100644
--- a/config/config.go
+++ b/config/config.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018-2020 A Bunch Tell LLC.
+ * Copyright © 2018-2021 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
@@ -139,6 +139,7 @@ type (
 		// Users
 		SingleUser       bool `ini:"single_user"`
 		OpenRegistration bool `ini:"open_registration"`
+		OpenDeletion     bool `ini:"open_deletion"`
 		MinUsernameLen   int  `ini:"min_username_len"`
 		MaxBlogs         int  `ini:"max_blogs"`
 
diff --git a/templates/user/admin/app-settings.tmpl b/templates/user/admin/app-settings.tmpl
index 9142dcc..50c50ec 100644
--- a/templates/user/admin/app-settings.tmpl
+++ b/templates/user/admin/app-settings.tmpl
@@ -76,6 +76,14 @@ select {
 			</div>
 		</div>
 		<div class="features row">
+			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="open_deletion">
+					Allow account deletion
+					<p>Allow all users to delete their account. Admins can always delete users.</p>
+				</label></div>
+			<div{{if .Config.SingleUser}} class="invisible"{{end}}><input type="checkbox" name="open_deletion" id="open_deletion" {{if .Config.OpenDeletion}}checked="checked"{{end}} />
+			</div>
+		</div>
+		<div class="features row">
 			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="user_invites">
 					Allow invitations from...
 					<p>Choose who is allowed to invite new people.</p>
diff --git a/templates/user/settings.tmpl b/templates/user/settings.tmpl
index 7a90fb7..338ea9a 100644
--- a/templates/user/settings.tmpl
+++ b/templates/user/settings.tmpl
@@ -158,7 +158,7 @@ h3 { font-weight: normal; }
 		{{ end }}
 	{{ end }}
 
-	{{ if not .IsAdmin }}
+	{{ if and .OpenDeletion (not .IsAdmin) }}
 		<h2>Incinerator</h2>
 		<div class="alert danger">
 			<div class="row">
@@ -205,7 +205,7 @@ for (var i=0; i<showChecks.length; i++) {
 	});
 }
 
-{{ if not .IsAdmin }}
+{{ if and .OpenDeletion (not .IsAdmin) }}
 	H.getEl('cancel-delete').on('click', closeModals);
 
 	let $confirmDelBtn = document.getElementById('confirm-delete');