Add a delete account endpoint

InsaLan / backend-insalan.fr

Backend of the insalan website

MIT License

2 stars 0 forks source link

Add a delete account endpoint #63

Closed KwikKill closed 4 weeks ago

KwikKill commented 11 months ago

We have to add an endpoint that allow user to delete their account. This endpoint could be a DELETE request with some kind of validation (could be password verification).

When a user is deleted, it should also delete their ongoing inscriptions (maybe automatic refund if possible), keep their past inscriptions (to keep events history).

We also need to check GDPR rules because if a user ask for an account deletion, we may not be able to keep his team history.

ShiroUsagi-san commented 11 months ago

for the last point, you're right. To address this issue, we can create an anonymous user that replaces deleted account everywhere there is a reference to a deleted user. Maybe Django supports this kind of behavior?

Lugrim commented 11 months ago

Duplicate from #51 , but more detailed so we should keep this one instead

@KwikKill :

When a user is deleted, it should also delete their ongoing inscriptions (maybe automatic refund if possible), keep their past inscriptions (to keep events history).

Not a fan of cascading deletion of anything payment related, we probably should prevent deletion if registrations are ongoing, asking to unregister first.

@ShiroUsagi-san

Maybe Django supports this kind of behavior?

The way django intends to delete users without breaking foreign key is by setting its is_active field to false, so deletion could actually:

Set is_active to false
Fill the user fields to dummy data for deleted user
If we do save some in-game username, set this one to dummy data too

Leyknn commented 10 months ago

Do we must keep deleted user still unique ? If not, why not make ForeignKey.on_delete = SET_DEFAULT, with default user a deleted user (with dummy data for example)

ShiroUsagi-san commented 10 months ago

I thought that was similar to what @Lugrim said but that's the easiest way to do this :ok_hand:

Lugrim commented 10 months ago

We should really ensure it doesn't break constrainsts

Leyknn commented 10 months ago

For the moment :

is_active field is use nowhere
user field from transaction model is already in on_delete=models.SET_NULL

Is there somewhere else where we have to keep an object if the user is deleted ? I have thought of :

Tournament, to keep the archives complete (in Player and Manager models)
Ticket

KwikKill commented 4 weeks ago

I'm closing this as I will be much easier to do it manually. Having no control on account deletion is imo worst.