Allow customers to delete their profile

We add a new form to the profile section that requires the customer to
confirm their password, but which then deletes their user.

oscar/apps/customer/app.py

@@ -30,6 +30,7 @@ class CustomerApplication(Application):
     register_view = views.AccountRegistrationView
     profile_view = views.ProfileView
     profile_update_view = views.ProfileUpdateView
+    profile_delete_view = views.ProfileDeleteView
     change_password_view = views.ChangePasswordView
 
     notification_inbox_view = notification_views.InboxView
@@ -70,6 +71,9 @@ class CustomerApplication(Application):
             url(r'^profile/edit/$',
                 login_required(self.profile_update_view.as_view()),
                 name='profile-update'),
+            url(r'^profile/delete/$',
+                login_required(self.profile_delete_view.as_view()),
+                name='profile-delete'),
 
             # Order history
             url(r'^orders/$',

oscar/apps/customer/forms.py

@@ -93,6 +93,26 @@ class EmailAuthenticationForm(AuthenticationForm):
         return url
 
 
+class ConfirmPasswordForm(forms.Form):
+    """
+    Extends the standard django AuthenticationForm, to support 75 character
+    usernames. 75 character usernames are needed to support the EmailOrUsername
+    auth backend.
+    """
+    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+
+    def __init__(self, user, *args, **kwargs):
+        super(ConfirmPasswordForm, self).__init__(*args, **kwargs)
+        self.user = user
+
+    def clean_password(self):
+        password = self.cleaned_data['password']
+        if not self.user.check_password(password):
+            raise forms.ValidationError(
+                _("The entered password is not valid!"))
+        return password
+
+
 class CommonPasswordValidator(validators.BaseValidator):
     # See
     # http://www.smartplanet.com/blog/business-brains/top-20-most-common-passwords-of-all-time-revealed-8216123456-8216princess-8216qwerty/4519  # noqa

oscar/apps/customer/views.py

@@ -24,7 +24,8 @@ Dispatcher = get_class('customer.utils', 'Dispatcher')
 EmailAuthenticationForm, EmailUserCreationForm, OrderSearchForm = get_classes(
     'customer.forms', ['EmailAuthenticationForm', 'EmailUserCreationForm',
                        'OrderSearchForm'])
-ProfileForm = get_class('customer.forms', 'ProfileForm')
+ProfileForm, ConfirmPasswordForm = get_classes(
+    'customer.forms', ['ProfileForm', 'ConfirmPasswordForm'])
 UserAddressForm = get_class('address.forms', 'UserAddressForm')
 user_registered = get_class('customer.signals', 'user_registered')
 Order = get_model('order', 'Order')
@@ -294,6 +295,28 @@ class ProfileUpdateView(PageTitleMixin, FormView):
         return reverse('customer:profile-view')
 
 
+class ProfileDeleteView(PageTitleMixin, FormView):
+    form_class = ConfirmPasswordForm
+    template_name = 'customer/profile/profile_delete.html'
+    page_title = _('Delete profile')
+    active_tab = 'profile'
+
+    def get_form_kwargs(self):
+        kwargs = super(ProfileDeleteView, self).get_form_kwargs()
+        kwargs['user'] = self.request.user
+        return kwargs
+
+    def form_valid(self, form):
+        self.request.user.delete()
+        messages.success(
+            self.request,
+            _("Your profile has now been deleted. Thanks for using the site."))
+        return HttpResponseRedirect(self.get_success_url())
+
+    def get_success_url(self):
+        return reverse('promotions:home')
+
+
 class ChangePasswordView(PageTitleMixin, FormView):
     form_class = PasswordChangeForm
     template_name = 'customer/profile/change_password_form.html'

oscar/apps/order/abstract_models.py

@@ -127,7 +127,10 @@ class AbstractOrder(models.Model):
 
     @property
     def is_anonymous(self):
-        return self.user is None
+        # It's possible for an order to be placed by a customer who then
+        # deletes their profile.  Hence, we need to check that a guest email is
+        # set.
+        return self.user is None and bool(self.guest_email)
 
     @property
     def basket_total_before_discounts_incl_tax(self):

oscar/templates/oscar/customer/profile/profile.html

@@ -31,6 +31,6 @@
 
     <a href="{% url 'customer:change-password' %}" class="btn btn-primary">{% trans 'Change password' %}</a>
     <a href="{% url 'customer:profile-update' %}" class="btn btn-primary">{% trans 'Edit profile' %}</a>
+    <a id="delete_profile" href="{% url 'customer:profile-delete' %}" class="btn btn-danger">{% trans 'Delete profile' %}</a>
 
 {% endblock %}
-

oscar/templates/oscar/customer/profile/profile_delete.html

@@ -0,0 +1,21 @@
+{% extends "customer/baseaccountpage.html" %}
+{% load i18n %}
+
+{% block tabcontent %}
+    <p>{% trans "Please confirm your password to delete your profile." %}</p>
+    <form id="delete_profile_form" action="." method="post" class="form-horizontal">
+        {% csrf_token %}
+        {% include "partials/form_fields.html" %}
+        <div class="alert alert-warning">
+            <h3>{% trans "Warning" %}</h3>
+            {% blocktrans %}
+                This will delete all information about you from the site.  Deleting your profile cannot be
+                undone.
+            {% endblocktrans %}
+        </div>
+        <div class="form-actions">
+            <button class="btn btn-large btn-danger" type="submit">{% trans "Delete" %}</button>
+            {% trans "or" %} <a href="{% url "customer:profile-view" %}">{% trans "cancel" %}</a>.
+        </div>
+    </form>
+{% endblock tabcontent %}

oscar/templates/oscar/dashboard/orders/order_detail.html

@@ -30,7 +30,9 @@
 {% block dashboard_content %}
     <table class="table table-striped table-bordered table-hover">
         <caption><i class="icon-group icon-large"></i>{% trans "Customer Information" %}</caption>
-        {% if order.user %}
+        {% if order.guest_email %}
+            <tr><td>{% trans "Customer checked out as a guest." %}</td></tr>
+        {% elif order.user %}
             <tr>
                 <th>{% trans "Name" %}</th>
                 <th>{% trans "Email address" %}</th>
@@ -40,7 +42,7 @@
                 <td>{{ order.user.email|default:"-" }}</td>
             </tr>
         {% else %}
-            <tr><td>{% trans "Customer checked out anonymously." %}</td></tr>
+            <tr><td>{% trans "Customer has deleted their account." %}</td></tr>
         {% endif %}
     </table>
 

oscar/templates/oscar/dashboard/orders/order_list.html

@@ -111,10 +111,12 @@
                             <td>{{ order.num_items }}</td>
                             <td>{{ order.status|default:"-" }}</td>
                             <td>
-                                {% if not order.is_anonymous %}
+                                {% if order.guest_email %}
+                                    {{ order.guest_email }}
+                                {% elif order.user %}
                                     <a href="{% url 'dashboard:user-detail' pk=order.user.id %}">{{ order.user.get_full_name|default:"-" }}</a>
                                 {% else %}
-                                    {{ order.email }}
+                                    &lt;{% trans "Deleted" %}&gt;
                                 {% endif %}
                             </td>
                             <td>{{ order.shipping_address|default:"-" }}</td>

tests/functional/customer/profile_tests.py

@@ -8,6 +8,7 @@ from oscar.test.testcases import WebTestCase
 from oscar.core.compat import get_user_model
 from oscar.apps.basket.models import Basket
 from oscar.apps.partner import strategy
+from oscar.apps.order.models import Order
 
 
 User = get_user_model()
@@ -28,9 +29,29 @@ class TestASignedInUser(WebTestCase):
         self.assertEqual(200, response.status_code)
         self.assertTrue(self.email in response.content)
 
+    def test_can_delete_their_profile(self):
+        user_id = self.user.id
+        order_id = self.order.id
+
+        profile = self.app.get(reverse('customer:profile-view'),
+                               user=self.user)
+        delete_confirm = profile.click(linkid="delete_profile")
+        form = delete_confirm.forms['delete_profile_form']
+        form['password'] = self.password
+        form.submit()
+
+        # Ensure user is deleted
+        users = User.objects.filter(id=user_id)
+        self.assertEqual(0, len(users))
+
+        # Ensure order isn't deleted
+        users = User.objects.filter(id=user_id)
+        orders = Order.objects.filter(id=order_id)
+        self.assertEqual(1, len(orders))
+
     def test_can_update_their_name(self):
         profile_form_page = self.app.get(reverse('customer:profile-update'),
-                                user=self.user)
+                                         user=self.user)
         self.assertEqual(200, profile_form_page.status_code)
         form = profile_form_page.forms['profile_form']
         form['first_name'] = 'Barry'
@@ -40,7 +61,7 @@ class TestASignedInUser(WebTestCase):
 
     def test_can_update_their_email_address_and_name(self):
         profile_form_page = self.app.get(reverse('customer:profile-update'),
-                                user=self.user)
+                                         user=self.user)
         self.assertEqual(200, profile_form_page.status_code)
         form = profile_form_page.forms['profile_form']
         form['email'] = 'new@example.com'