Change Details

## Overview Admins should be able to disable access to an account. This should: * Make the user's blogs and posts inaccessible to the world * Prevent the user from creating new posts or blogs * Still allow the to log in, so they can e.g. export their data * Update the user count via Write.as Teams API A suspended user shouldn't count towards an instance's count of active users. So: reflect this in NodeInfo and the count sent to Write.as Teams API. ## Implementation TODO

## Overview Admins should be able to disable access to an account. This should: * Make the user's blogs and posts inaccessible to the world * Prevent the user from creating new posts or blogs * Still allow the to log in, so they can e.g. export their data * Update the user count via Write.as Teams API A suspended user shouldn't count towards an instance's count of active users. So: reflect this in NodeInfo and the count sent to Write.as Teams API. ## Implementation When an admin suspends another user, we should insert into the `userattributes` table: * user_id = {suspended user's ID} * attribute = 'suspended' * value = '1' Now, on the viewing side: > * Make the user's blogs and posts inaccessible to the world In collection viewing handlers -- via web, API, and ActivityPub -- do this: ``` SELECT 1 FROM userattributes WHERE user_id = {collection.ownerID} AND attribute = 'suspended' AND value = '1' ``` (NOTE: See existing funcs in `database.go` for how we create a helper func for this.) If that returns a row, return a `404` for the collection / collection post. > * Prevent the user from creating new posts or blogs When publishing or updating posts, again check if the user is suspended, as above, and return a `403 Forbidden` if they are. > * Still allow the to log in, so they can e.g. export their data (No additional development needed here.)

## Overview Admins should be able to disable access to an account. This should: * Make the user's blogs and posts inaccessible to the world * Prevent the user from creating new posts or blogs * Still allow the to log in, so they can e.g. export their data * Update the user count via Write.as Teams API A suspended user shouldn't count towards an instance's count of active users. So: reflect this in NodeInfo and the count sent to Write.as Teams API. ## Implementation When an admin suspends another user, we should insert into the `userattributes` table: * user_id = {suspended user's ID} * attribute = 'suspended' * value = '1' Now, on the viewing side: > * Make the user's blogs and posts inaccessible to the world In collection viewing handlers -- via web, API, and ActivityPub -- do this: ``` SELECT 1 FROM userattributes WHERE user_id = {collection.ownerID} AND attribute = 'suspended' AND value = '1' TODO``` (NOTE: See existing funcs in `database.go` for how we create a helper func for this.) If that returns a row, return a `404` for the collection / collection post. > * Prevent the user from creating new posts or blogs When publishing or updating posts, again check if the user is suspended, as above, and return a `403 Forbidden` if they are. > * Still allow the to log in, so they can e.g. export their data (No additional development needed here.)