feat: personless User deletion via admin (#9312)

jennifer-richards · web-flow · commit ebe6fbf04659 · 2025-08-07T10:13:41.000-05:00
* feat: admin to allow user deletion

* fix: permissions + drop dangerous action

* chore: minor style lint

* fix: avoid limit on a queryset delete

* feat: User age filter

* feat: show useful fields on User admin

* chore: fix lint

* fix: reverse direction of age filter
diff --git a/ietf/ietfauth/admin.py b/ietf/ietfauth/admin.py
@@ -0,0 +1,136 @@
+# Copyright The IETF Trust 2025, All Rights Reserved
+import datetime
+
+from django.conf import settings
+from django.contrib import admin, messages
+from django.contrib.admin import action
+from django.contrib.admin.actions import delete_selected as default_delete_selected
+from django.contrib.auth.admin import UserAdmin
+from django.contrib.auth.models import User
+from django.utils import timezone
+
+
+# Replace default UserAdmin with our custom one
+admin.site.unregister(User)
+
+
+class AgeListFilter(admin.SimpleListFilter):
+    title = "account age"
+    parameter_name = "age"
+    
+    def lookups(self, request, model_admin):
+        return [
+            ("1day", "> 1 day"),
+            ("3days", "> 3 days"),
+            ("1week", "> 1 week"),
+            ("1month", "> 1 month"),
+            ("1year", "> 1 year"),
+        ]
+
+    def queryset(self, request, queryset):
+        deltas = {
+            "1day": datetime.timedelta(days=1),
+            "3days": datetime.timedelta(days=3),
+            "1week": datetime.timedelta(weeks=1),
+            "1month": datetime.timedelta(days=30),
+            "1year": datetime.timedelta(days=365),
+        }
+        if self.value():
+            return queryset.filter(date_joined__lt=timezone.now()-deltas[self.value()])
+        return queryset
+
+
+@admin.register(User)
+class CustomUserAdmin(UserAdmin):
+    list_display = (
+        "username",
+        "person",
+        "date_joined",
+        "last_login",
+        "is_staff",
+    )
+    list_filter = list(UserAdmin.list_filter) + [
+        AgeListFilter,
+        ("person", admin.EmptyFieldListFilter),
+    ]
+    actions = ["delete_selected"]
+
+    @action(
+        permissions=["delete"], description="Delete personless %(verbose_name_plural)s"
+    )
+    def delete_selected(self, request, queryset):
+        """Delete selected action restricted to Users with a null Person field
+
+        This displaces the default delete_selected action with a safer one that will
+        only delete personless Users. It is done this way instead of by introducing
+        a new action so that we can simply hand off to the default action (imported
+        as default_delete_selected()) without having to adjust its template (and maybe
+        other things) to make it work with a different action name.
+        """
+        already_confirmed = bool(request.POST.get("post"))
+        personless_queryset = queryset.filter(person__isnull=True)
+        original_count = queryset.count()
+        personless_count = personless_queryset.count()
+        if personless_count > original_count:
+            # Refuse to act if the count increased!
+            self.message_user(
+                request,
+                (
+                    "Limiting the selection to Users without a Person INCREASED the "
+                    "count from {} to {}. This should not happen and probably means a "
+                    "concurrent change to the database affected this request. Please "
+                    "try again.".format(original_count, personless_count)
+                ),
+                level=messages.ERROR,
+            )
+            return None  # return to changelist
+
+        # Display warning/info if this is showing the confirmation page
+        if not already_confirmed:
+            if personless_count < original_count:
+                self.message_user(
+                    request,
+                    (
+                        "Limiting the selection to Users without a Person reduced the "
+                        "count from {} to {}. Only {} will be deleted.".format(
+                            original_count, personless_count, personless_count
+                        )
+                    ),
+                    level=messages.WARNING,
+                )
+            else:
+                self.message_user(
+                    request,
+                    "Confirmed that all selected Users had no Persons.",
+                )
+
+        # Django limits the number of fields in a request. The delete form itself
+        # includes a few metadata fields, so give it a little padding. The default
+        # limit is 1000 and everything will break if it's a small number, so not
+        # bothering to check that it's > 10.
+        max_count = settings.DATA_UPLOAD_MAX_NUMBER_FIELDS - 10
+        if personless_count > max_count:
+            self.message_user(
+                request,
+                (
+                    f"Only {max_count} Users can be deleted at once. Will only delete "
+                    f"the first {max_count} selected Personless Users."
+                ),
+                level=messages.WARNING,
+            )
+            # delete() doesn't like a queryset limited via [:max_count], so do an
+            # equivalent filter.
+            last_to_delete = personless_queryset.order_by("pk")[max_count]
+            personless_queryset = personless_queryset.filter(pk__lt=last_to_delete.pk)
+
+        if already_confirmed and personless_count != original_count:
+            # After confirmation, none of the above filtering should change anything.
+            # Refuse to delete if the DB moved underneath us.
+            self.message_user(
+                request,
+                "Queryset count changed, nothing deleted. Please try again.",
+                level=messages.ERROR,
+            )
+            return None
+
+        return default_delete_selected(self, request, personless_queryset)
