about summary refs log tree commit diff
path: root/gn_auth/auth/authorisation/users
diff options
context:
space:
mode:
Diffstat (limited to 'gn_auth/auth/authorisation/users')
-rw-r--r--gn_auth/auth/authorisation/users/admin/models.py11
-rw-r--r--gn_auth/auth/authorisation/users/models.py38
2 files changed, 44 insertions, 5 deletions
diff --git a/gn_auth/auth/authorisation/users/admin/models.py b/gn_auth/auth/authorisation/users/admin/models.py
index 3d68932..0594864 100644
--- a/gn_auth/auth/authorisation/users/admin/models.py
+++ b/gn_auth/auth/authorisation/users/admin/models.py
@@ -4,6 +4,7 @@ import warnings
 from gn_auth.auth.db import sqlite3 as db
 from gn_auth.auth.authentication.users import User
 from gn_auth.auth.authorisation.roles.models import Role, db_rows_to_roles
+from gn_auth.auth.authorisation.resources.system.models import system_resource
 
 
 def sysadmin_role(conn: db.DbConnection) -> Role:
@@ -28,14 +29,14 @@ def grant_sysadmin_role(cursor: db.DbCursor, user: User) -> User:
     cursor.execute(
             "SELECT * FROM roles WHERE role_name='system-administrator'")
     admin_role = cursor.fetchone()
-    cursor.execute("SELECT resources.resource_id FROM resources")
-    cursor.executemany(
+    sysresource = system_resource(cursor)
+    cursor.execute(
         "INSERT INTO user_roles VALUES (:user_id, :role_id, :resource_id)",
-        tuple({
+        {
             "user_id": str(user.user_id),
             "role_id": admin_role["role_id"],
-            "resource_id": resource_id
-        } for resource_id in cursor.fetchall()))
+            "resource_id": str(sysresource.resource_id)
+        })
     return user
 
 
diff --git a/gn_auth/auth/authorisation/users/models.py b/gn_auth/auth/authorisation/users/models.py
index d30bfd0..ab7a980 100644
--- a/gn_auth/auth/authorisation/users/models.py
+++ b/gn_auth/auth/authorisation/users/models.py
@@ -1,5 +1,6 @@
 """Functions for acting on users."""
 import uuid
+import warnings
 from functools import reduce
 from datetime import datetime, timedelta
 
@@ -128,3 +129,40 @@ def user_resource_roles(conn: db.DbConnection, user: User) -> dict[uuid.UUID, tu
             (str(user.user_id),))
         return __build_resource_roles__(
             (dict(row) for row in cursor.fetchall()))
+
+
+def delete_users_by_id(
+        conn: db.DbConnection,
+        user_ids: tuple[uuid.UUID, ...]
+) -> int:
+    """Delete users unconditionally by ID, removing all dependent data.
+
+    Unlike the HTTP endpoint, this bypasses all policy checks — users are
+    deleted regardless of their roles or group memberships. Returns the
+    number of users removed from the users table.
+    """
+    warnings.warn(
+        (f"Running dangerous function `{__name__}.delete_users_by_id`. "
+         "Do ensure that is what you actually want."),
+        category=RuntimeWarning)
+    if not user_ids:
+        return 0
+    _ids = tuple(str(uid) for uid in user_ids)
+    _paramstr = ", ".join(["?"] * len(_ids))
+    _dependent_tables = (
+        ("authorisation_code", "user_id"),
+        ("forgot_password_tokens", "user_id"),
+        ("group_join_requests", "requester_id"),
+        ("jwt_refresh_tokens", "user_id"),
+        ("oauth2_tokens", "user_id"),
+        ("user_credentials", "user_id"),
+        ("user_roles", "user_id"),
+        ("user_verification_codes", "user_id"),
+    )
+    with db.cursor(conn) as cursor:
+        for table, col in _dependent_tables:
+            cursor.execute(
+                f"DELETE FROM {table} WHERE {col} IN ({_paramstr})", _ids)
+        cursor.execute(
+            f"DELETE FROM users WHERE user_id IN ({_paramstr})", _ids)
+        return cursor.rowcount
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-06-16 07:50:28 +0000