Remove user's avatar URL and displayname when deactivated. (#8932)

This only applies if the user's data is to be erased.
2025-05-02 12:36:02 -04:00 · 2021-01-12 22:30:15 +01:00 · 2021-01-12 22:30:15 +01:00 · 7a2e9b549d
commit 7a2e9b549d
parent 789d9ebad3
13 changed files with 351 additions and 17 deletions
--- a/synapse/rest/admin/users.py
+++ b/synapse/rest/admin/users.py
@ -244,7 +244,7 @@ class UserRestServletV2(RestServlet):

                if deactivate and not user["deactivated"]:
                    await self.deactivate_account_handler.deactivate_account(
-                        target_user.to_string(), False
+                        target_user.to_string(), False, requester, by_admin=True
                    )
                elif not deactivate and user["deactivated"]:
                    if "password" not in body:
@ -486,12 +486,22 @@ class WhoisRestServlet(RestServlet):
 class DeactivateAccountRestServlet(RestServlet):
    PATTERNS = admin_patterns("/deactivate/(?P<target_user_id>[^/]*)")

-    def __init__(self, hs):
+    def __init__(self, hs: "HomeServer"):
        self._deactivate_account_handler = hs.get_deactivate_account_handler()
        self.auth = hs.get_auth()
+        self.is_mine = hs.is_mine
+        self.store = hs.get_datastore()
+
+    async def on_POST(self, request: str, target_user_id: str) -> Tuple[int, JsonDict]:
+        requester = await self.auth.get_user_by_req(request)
+        await assert_user_is_admin(self.auth, requester.user)
+
+        if not self.is_mine(UserID.from_string(target_user_id)):
+            raise SynapseError(400, "Can only deactivate local users")
+
+        if not await self.store.get_user_by_id(target_user_id):
+            raise NotFoundError("User not found")

-    async def on_POST(self, request, target_user_id):
-        await assert_requester_is_admin(self.auth, request)
        body = parse_json_object_from_request(request, allow_empty_body=True)
        erase = body.get("erase", False)
        if not isinstance(erase, bool):
@ -501,10 +511,8 @@ class DeactivateAccountRestServlet(RestServlet):
                Codes.BAD_JSON,
            )

-        UserID.from_string(target_user_id)
-
        result = await self._deactivate_account_handler.deactivate_account(
-            target_user_id, erase
+            target_user_id, erase, requester, by_admin=True
        )
        if result:
            id_server_unbind_result = "success"
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@ -305,7 +305,7 @@ class DeactivateAccountRestServlet(RestServlet):
        # allow ASes to deactivate their own users
        if requester.app_service:
            await self._deactivate_account_handler.deactivate_account(
-                requester.user.to_string(), erase
+                requester.user.to_string(), erase, requester
            )
            return 200, {}

@ -313,7 +313,10 @@ class DeactivateAccountRestServlet(RestServlet):
            requester, request, body, "deactivate your account",
        )
        result = await self._deactivate_account_handler.deactivate_account(
-            requester.user.to_string(), erase, id_server=body.get("id_server")
+            requester.user.to_string(),
+            erase,
+            requester,
+            id_server=body.get("id_server"),
        )
        if result:
            id_server_unbind_result = "success"