feat: OPTIC-116: User soft-deletion API (#4876)

dredivaris · web-flow · commit adc2475e6089 · 2023-10-10T17:09:44.000-07:00
* feat: OPTIC-116: User soft-deletion API

* Add new HasOwnerPermission to check owner for deletion, add soft_delete function

* Update tests

* Add linting changes

* Add permission_required to view

* Linting fix

* Updates to fix soft delete and add typing

* Add newlines for test legibility

* Update status code, update typing error

* Add new url to all_urls.json

---------

Co-authored-by: dredivaris &lt;dredivaris@users.noreply.github.com&gt;
diff --git a/label_studio/core/all_urls.json b/label_studio/core/all_urls.json
@@ -491,6 +491,13 @@
         "name": "current-user-whoami",
         "decorators": ""
     },
+    {
+        "url": "/users/<int:pk>/soft-delete/",
+        "module": "users.views.UserSoftDeleteView",
+        "name": "user-soft-delete",
+        "decorators": ""
+    },
+
     {
         "url": "/api/tasks/",
         "module": "tasks.api.TaskListAPI",
diff --git a/label_studio/core/api_permissions.py b/label_studio/core/api_permissions.py
@@ -4,3 +4,10 @@
 class HasObjectPermission(BasePermission):
     def has_object_permission(self, request, view, obj):
         return obj.has_permission(request.user)
+
+
+class HasOwnerPermission(BasePermission):
+    def has_object_permission(self, request, view, obj):
+        if not request.user.own_organization or obj.active_organization != request.user.active_organization:
+            return False
+        return obj.has_permission(request.user)
diff --git a/label_studio/core/settings/base.py b/label_studio/core/settings/base.py
@@ -528,6 +528,7 @@
 ANNOTATION_MIXIN = 'tasks.mixins.AnnotationMixin'
 ORGANIZATION_MIXIN = 'organizations.mixins.OrganizationMixin'
 USER_MIXIN = 'users.mixins.UserMixin'
+USER_PERM = 'core.api_permissions.HasOwnerPermission'
 RECALCULATE_ALL_STATS = None
 GET_STORAGE_LIST = 'io_storages.functions.get_storage_list'
 STORAGE_ANNOTATION_SERIALIZER = 'io_storages.serializers.StorageAnnotationSerializer'
diff --git a/label_studio/tests/users.tavern.yml b/label_studio/tests/users.tavern.yml
@@ -7,14 +7,17 @@ marks:
 stages:
 - id: signup
   type: ref
+
 - id: get_my_user
   type: ref
+
 - name: stage
   request:
     method: GET
     url: '{django_live_url}/api/users'
   response:
     status_code: 200
+
 - name: stage
   request:
     method: GET
@@ -24,6 +27,7 @@ stages:
     save:
       json:
         org_pk: active_organization
+
 - name: stage
   request:
     json:
@@ -37,12 +41,14 @@ stages:
       json:
         new_user_pk: id
     status_code: 201
+
 - name: stage
   request:
     method: GET
     url: '{django_live_url}/api/users/{new_user_pk}'
   response:
     status_code: 200
+
 - name: attempt_update_email_raises_405
   request:
     url: "{django_live_url}/api/users/{new_user_pk}"
@@ -72,6 +78,7 @@ stages:
       status_code: 302
       headers:
         location: "/projects/" # redirect to projects page rather than malicious.com
+
   - name: malicious_login
     request:
       url: "{django_live_url}/user/login?next=http://malicious.com"
@@ -83,3 +90,124 @@ stages:
       status_code: 302
       headers:
         location: "/projects/" # redirect to projects page rather than malicious.com
+
+---
+test_name: test_users_soft_delete
+strict: false
+marks:
+- usefixtures:
+  - django_live_url
+stages:
+- id: signup
+  type: ref
+
+- id: get_my_user
+  type: ref
+
+- name: get_active_organization
+  request:
+    method: GET
+    url: '{django_live_url}/api/users/{user_pk}'
+  response:
+    status_code: 200
+    save:
+      json:
+        org_pk: active_organization
+
+- type: ref
+  id: get_invite_url
+
+- type: ref
+  id: logout
+
+# signup 2 new users
+- name: signup_new_user_under_active_organization
+  request:
+    url: "{django_live_url}{invite_url}"
+    data:
+      email: test_user@heartextest.com
+      password: 12345678
+    method: POST
+  response:
+    status_code: 302
+
+- type: ref
+  id: logout
+
+- name: signup_second_new_user_under_active_organization
+  request:
+    url: "{django_live_url}{invite_url}"
+    data:
+      email: test_second_user@heartextest.com
+      password: 12345678
+    method: POST
+  response:
+    status_code: 302
+
+- id: get_my_user # get user_pk to use in soft-delete
+  type: ref
+
+- id: get_user_token
+  type: ref
+
+- id: logout
+  type: ref
+
+- id: get_my_user_with_token
+  name: Get my user with token
+  request:
+    headers:
+      authorization: "Token {user_token}"
+    url: "{django_live_url}/api/current-user/whoami"
+    method: GET
+  response:
+    status_code: 200
+
+- name: login_as_first_new_user
+  request:
+    url: "{django_live_url}/user/login"
+    data:
+      email: test_user@heartextest.com
+      password: 12345678
+    method: POST
+  response:
+    status_code: 302
+
+- name: soft_delete_user_fails_without_owner_logged_in
+  request:
+    url: "{django_live_url}/users/{user_pk}/soft-delete"
+    method: DELETE
+  response:
+    status_code: 403
+
+- id: logout
+  type: ref
+
+- id: login # as owner
+  type: ref
+
+- name: soft_delete_user_succeeds_as_owner
+  request:
+    url: "{django_live_url}/users/{user_pk}/soft-delete"
+    method: DELETE
+  response:
+    status_code: 204
+
+- name: soft_delete_user_fails_second_deletion_attempt
+  request:
+    url: "{django_live_url}/users/{user_pk}/soft-delete"
+    method: DELETE
+  response:
+    status_code: 404
+
+- id: logout
+  type: ref
+
+- name: get_my_user_with_token_fails_as_user_is_now_deleted
+  request:
+    headers:
+      authorization: "Token {user_token}"
+    url: "{django_live_url}/api/current-user/whoami"
+    method: GET
+  response:
+    status_code: 401
diff --git a/label_studio/users/models.py b/label_studio/users/models.py
@@ -1,9 +1,11 @@
 """This file and its contents are licensed under the Apache License 2.0. Please see the included NOTICE for copyright information and LICENSE for a copy of the license.
 """
 import datetime
+from typing import Optional
 
 from core.feature_flags import flag_set
 from core.utils.common import load_func
+from core.utils.db import fast_first
 from django.conf import settings
 from django.contrib.auth.base_user import AbstractBaseUser, BaseUserManager
 from django.contrib.auth.models import PermissionsMixin
@@ -164,8 +166,8 @@ def active_organization_contributed_project_number(self):
         return annotations.values_list('project').distinct().count()
 
     @property
-    def own_organization(self):
-        return Organization.objects.get(created_by=self)
+    def own_organization(self) -> Optional[Organization]:
+        return fast_first(Organization.objects.filter(created_by=self))
 
     @property
     def has_organization(self):
@@ -193,12 +195,15 @@ def get_short_name(self):
         """Return the short name for the user."""
         return self.first_name
 
-    def reset_token(self):
-        token = Token.objects.filter(user=self)
-        if token.exists():
-            token.delete()
+    def reset_token(self) -> Token:
+        Token.objects.filter(user=self).delete()
         return Token.objects.create(user=self)
 
+    def soft_delete(self) -> None:
+        self.is_deleted = True
+        Token.objects.filter(user=self).delete()
+        self.save(update_fields=['is_deleted'])
+
     def get_initials(self):
         initials = '?'
 
diff --git a/label_studio/users/urls.py b/label_studio/users/urls.py
@@ -8,6 +8,7 @@
 from django.views.static import serve
 from rest_framework import routers
 from users import api, views
+from users.views import UserSoftDeleteView
 
 router = routers.DefaultRouter()
 router.register(r'users', api.UserAPI, basename='user')
@@ -23,6 +24,8 @@
     path('api/current-user/reset-token/', api.UserResetTokenAPI.as_view(), name='current-user-reset-token'),
     path('api/current-user/token', api.UserGetTokenAPI.as_view(), name='current-user-token'),
     path('api/current-user/whoami', api.UserWhoAmIAPI.as_view(), name='current-user-whoami'),
+    # additional user actions
+    path('users/<int:pk>/soft-delete/', UserSoftDeleteView.as_view(), name='user-soft-delete'),
 ]
 
 # When CLOUD_FILE_STORAGE_ENABLED is set, avatars are uploaded to cloud storage with a different URL pattern.
diff --git a/label_studio/users/views.py b/label_studio/users/views.py
@@ -1,21 +1,33 @@
 """This file and its contents are licensed under the Apache License 2.0. Please see the included NOTICE for copyright information and LICENSE for a copy of the license.
 """
 import logging
+from typing import Any
 
 from core.feature_flags import flag_set
 from core.middleware import enforce_csrf_checks
+from core.permissions import ViewClassPermission, all_permissions
 from core.utils.common import load_func
 from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
+from django.http import Http404
 from django.shortcuts import redirect, render, reverse
 from django.utils.http import is_safe_url
 from organizations.forms import OrganizationSignupForm
 from organizations.models import Organization
+from rest_framework import generics, status
 from rest_framework.authtoken.models import Token
+from rest_framework.exceptions import MethodNotAllowed
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.request import Request
+from rest_framework.response import Response
 from users import forms
 from users.functions import login, proceed_registration
+from users.models import User
+from users.serializers import UserSerializer
+
+HasObjectPermission = load_func(settings.USER_PERM)
 
 logger = logging.getLogger()
 
@@ -149,3 +161,32 @@ def user_account(request):
         'users/user_account.html',
         {'settings': settings, 'user': user, 'user_profile_form': form, 'token': token},
     )
+
+
+class UserSoftDeleteView(generics.RetrieveDestroyAPIView):
+    permission_required = ViewClassPermission(
+        DELETE=all_permissions.organizations_change,
+    )
+    queryset = User.objects.all()
+    serializer_class = UserSerializer
+    permission_classes = (IsAuthenticated, HasObjectPermission)
+
+    def get_object(self) -> User:
+        pk = self.kwargs[self.lookup_field]
+        # only fetch & delete user if they are in the same organization as the calling user
+        try:
+            user = self.queryset.filter(active_organization=self.request.user.active_organization).get(pk=pk)
+        except User.DoesNotExist:
+            raise Http404('User could not be found in organization')
+
+        return user
+
+    def destroy(self, request: Request, *args: Any, **kwargs: Any) -> Response:
+        user = self.get_object()
+
+        self.check_object_permissions(self.request, user)
+        if self.kwargs[self.lookup_field] == self.request.user.pk:
+            raise MethodNotAllowed('User cannot delete self')
+
+        user.soft_delete()
+        return Response(status=status.HTTP_204_NO_CONTENT)
