Allow users to be deleted

[flbulgarelli]

:stop_sign: :bust_in_silhouette: We need users to be deleted, at least in a logical way. This idea impacts several features:

1. :lock: Login: user should not be able to login again, even if the login provider permits it. This is important for security reasons: nobody should be able to reclaim a deleted identity
2. :video_game: Gamification: user should not be displayed with its real name in any kind of board or rank. Alternatively, it could be displayed with a standard "deleted account" username and image, like github's ghost account https://github.com/ghost
3. :left_speech_bubble: Discussions: User's discussions may remain intact, but user identity should be replaced following previously mentioned guidelines.
4. :school: Classroom: It should be dettached from every course they belong
5. :mailbox: No new notifications should be sent by email
6. If user is soft-deleted, permissions and progress should be deleted, at least in posgres database.

It would be nice to allow them to delete they account from the UI, but this is not a core requeriment.

[flbulgarelli]

:up: Update

We need users to be deleted, at least in a logical way. This idea impacts several features:

1. lock Login: user should not be able to login again, even if the login provider permits it. This is important for security reasons: nobody should be able to reclaim a deleted identity

:heavy_minus_sign: Mostly done in https://github.com/mumuki/mumuki-domain/pull/90 and https://github.com/mumuki/mumuki-laboratory/pull/1406. Although login is permitted, every action is blocked.

:warning: We should still block user from login provider, in order to avoid weird situations when other uses try to accidentally reclaim identity, and gets it at the login-provider-level, but not application level.

2. video_game Gamification: user should not be displayed with its real name in any kind of board or rank. Alternatively, it could be displayed with a standard "deleted account" username and image, like github's ghost account https://github.com/ghost

:heavy_minus_sign: Mostly done. Only avatars are missing

3. left_speech_bubble Discussions: User's discussions may remain intact, but user identity should be replaced following previously mentioned guidelines.

:heavy_check_mark: Done

4. school Classroom: It should be dettached from every course they belong

:x: Not yet

5. mailbox No new notifications should be sent by email

:heavy_check_mark: Done

6. If user is soft-deleted, permissions and progress should be deleted, at least in posgres database.

:x: Not yet

It would be nice to allow them to delete they account from the UI, but this is not a core requeriment.

:x: Not yet

[flbulgarelli]

@NadiaFinzi @LauraMangifesta

Con @faloi pensamos el siguiente flujo:

1. Le usuarie entra a su perfil y selecciona la opción de eliminar cuenta
2. Se pide confirmación y se envía un mail a la persona con el link para efectivamente borrarla
3. Haciendo click en el link que viene en el mail, la plataforma finalmente te envía a la sección de eliminar cuenta, te pide que confirmes nuevamente ingresando tu nombre de usuarie (como hace github) y elimina definitivamente

Charlando con @NadiaFinzi pensamos que también sería interesante que el paso 3 te obligue a volver a iniciar sesión antes de proseguir (si bien no es un sudo-mode, sí te obliga a volver a ingresar tus credenciales en caso de que alguien haya accedido a tu cuenta sin permiso)

[flbulgarelli]

Charlando con @NadiaFinzi pensamos que también sería interesante que el paso 3 te obligue a volver a iniciar sesión antes de proseguir (si bien no es un sudo-mode, sí te obliga a volver a ingresar tus credenciales en caso de que alguien haya accedido a tu cuenta sin permiso)

:up: Tras nuevas charlas, pensamos que en realidad esta opción es mejor que eliminar via link por mail, porque es menos ambigua en el caso de que dos personas pongan el mismo mail de contacto o alguien no tenga acceso a dicho mail.

Teniendo en cuenta eso, el flujo ideal sería el siguiente:

1. Le usuarie entra a su perfil y selecciona la opción de eliminar cuenta
2. Se pide confirmación (por ejemplo ingresando una palabra clave como BORRAR) y te redirije a la pantalla de eliminar pero deslogueandote previamente, y redirigiendote a una pantalla de login especial que ya tenga pre-cargado el nombre de usuario, y que una vez logueade sólo funcione si uid es el mismo que inició la operación.
3. Desde esta pantalla efecitvamente borrás la cuenta

El problema de esta alternativa es que no se si es posible implementar el item 2 (no parece algo que los identity providers permitan de forma general), menos aún que se pueda implementar de forma clara sin dar la sensación de que el proceso de borrado ya culminó, cuando aun hay que confirmarlo; ¿@julian-berbel @luchotc qué piensan?

En caso de no poder implementarse así, entonces sí volvemos a la propuesta anterior (basada en enviar link de confirmación).

[luchotc]

We should add something like this in T&C: "Copies of some materials such as log records may remain in our database but are disassociated from personal identifiers."

Also, we should update T&C section which talks about account deletion to include this new flow.

This is just for @NadiaFinzi.

[luchotc]

Final flow:

• Button in your link (red, to note that it's destructive) that allows to delete account. When the user clicks on it, a pop-up is open which states that the account is deleted and it tells you who you are. "Vas a borrar la cuenta de Luis Cannavó y perderás acceso a los siguientes recorridos: []". To delete your account enter: "quiero borrar mi cuenta". After doing so, a token will be generated and a link will be sent. That will be explained to the user as well, telling them which mail was the user delivered to and also a text stating to contact soporte at ム dot org if they don't receive it.
• The mail contains a link with that newly created token. The user will have a route for that endpoint and it will compare the received token with the one that was created (if there is one). This means that the user has to be logged in for the link to work. (Consider the case when the user is not logged in, then it logs in and then the request should be processed). If the token is different from the one that the user has or the user does not have one (because it was another account), feedback is given to them explaining the situation.
• If the token does match and it's not expired, another pop-up is prompted asking for a final confirmation and stating the paths that will be lost once again.

[faloi]

First UI drafts, @felipecalvo @flbulgarelli @luchotc please comment.

1 - Delete account section

It's a partial, so it can be moved to a proper place in the new user menu.

2 - First confirmation dialog

3 - Mail confirmation sent

[luchotc]

Like it a lot! The final placement won't be that but as you've said it's a partial and we can move it. I would suggest moving the account info, just the name for now, to the modal body and leave just Eliminar cuenta as title.

[faloi]

Agree, check now:

[felipecalvo]

Something I'm not sure of is the perderás acceso a los siguientes recorridos part. Public organizations won't be listed there, and that's alright, but progress will still be lost on them. Maybe something along the lines of Perderás todo tu progreso en mumuki, y no podrás volver a acceder a: is clearer?

I understand it's already mentioned on the delete account box, but still.

It looks good in any case, though! I'm also tempted to add one of those ominous Esta acción no se puede deshacer. messages somewhere. (Well, I guess it could be stopped if you don't follow the instructions on the email, whatever they are). Too much text!