Overview
Admins should be able to disable access to an account. This should:
- Make the user's blogs and posts inaccessible to the world
- Prevent the user from creating new posts or blogs
- Still allow the to log in, so they can e.g. export their data
- Update the user count via Write.as Teams API
A suspended user shouldn't count towards an instance's count of active users. So: reflect this in NodeInfo and the count sent to Write.as Teams API.
Implementation
When an admin suspends another user, we should insert into the userattributes table:
- user_id = {suspended user's ID}
- attribute = 'suspended'
- value = '1'
Now, on the viewing side:
- Make the user's blogs and posts inaccessible to the world
In collection viewing handlers -- via web, API, and ActivityPub -- do this:
SELECT 1 FROM userattributes WHERE user_id = {collection.ownerID} AND attribute = 'suspended' AND value = '1'
(NOTE: See existing funcs in database.go for how we create a helper func for this.) If that returns a row, return a 404 for the collection / collection post.
- Prevent the user from creating new posts or blogs
When publishing or updating posts, again check if the user is suspended, as above, and return a 403 Forbidden if they are.
- Still allow the to log in, so they can e.g. export their data
(No additional development needed here.)