zammad/lib/validations/data_privacy_task_validator.rb

# Copyright (C) 2012-2026 Zammad Foundation, https://zammad-foundation.org/

class Validations::DataPrivacyTaskValidator < ActiveModel::Validator

  attr_reader :record

  delegate :deletable, to: :record

  def validate(record)
    @record = record

    check_for_deletable_type
    check_for_existing_task
    check_for_user
  end

  private

  def check_for_deletable_type
    return if !record.deletable_type_changed?
    return if [User, Ticket].any? { deletable.is_a?(it) }

    record.errors.add(:base, __('Data privacy task allows to delete a user or a ticket only.'))
  end

  def check_for_user
    return if !record.deletable_id_changed?
    return if !deletable.is_a?(User)

    check_for_system_user
    check_for_current_user
    check_for_last_admin
  end

  def check_for_system_user
    return if deletable.id != 1

    record.errors.add(:base, __('It is not possible to delete the system user.'))
  end

  def check_for_current_user
    return if deletable.id != UserInfo.current_user_id

    record.errors.add(:base, __('It is not possible to delete your current account.'))
  end

  def check_for_last_admin
    return if !last_admin?

    record.errors.add(:base, __('It is not possible to delete the last account with admin permissions.'))
  end

  def check_for_existing_task
    return if !record.deletable_id_changed?
    return if !tasks_exists?

    record.errors.add(:base, __('Selected object is already queued for deletion.'))
  end

  def tasks_exists?
    DataPrivacyTask
      .where.not(id:    record.id)
      .where.not(state: 'failed')
      .exists? deletable: deletable
  end

  def last_admin?
    return false if !deletable_is_admin?

    future_admin_ids.blank?
  end

  def future_admin_ids
    other_admin_ids - existing_jobs_admin_ids
  end

  def other_admin_ids
    admin_users.where.not(id: deletable.id).pluck(:id)
  end

  def deletable_is_admin?
    admin_users.exists?(id: deletable.id)
  end

  def existing_jobs_admin_ids
    DataPrivacyTask.where(
      deletable_id:   other_admin_ids,
      deletable_type: 'User'
    ).pluck(:deletable_id)
  end

  def admin_users
    User.with_permissions('admin')
  end
end
Maintenance: Update copyright information. 2026-01-02 13:41:09 +00:00			`# Copyright (C) 2012-2026 Zammad Foundation, https://zammad-foundation.org/`
Maintenance: Update copyright information and add a new rubocop cop to watch over it. 2021-06-01 12:20:20 +00:00
Maintenance: Unify custom Rails model validators. 2023-03-10 14:49:19 +00:00			`class Validations::DataPrivacyTaskValidator < ActiveModel::Validator`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00
			`attr_reader :record`

Fixes #4838 - Data retention rules for cleanup users (or other objects) from the system with the scheduler Co-authored-by: Dominik Klein <dk@zammad.com> Co-authored-by: Dusan Vuckovic <dv@zammad.com> Co-authored-by: Florian Liebe <fl@zammad.com> Co-authored-by: Mantas Masalskis <mm@zammad.com> Co-authored-by: Rolf Schmidt <rolf.schmidt@zammad.com> Co-authored-by: Tobias Schäfer <ts@zammad.com> 2023-11-03 12:47:39 +00:00			`delegate :deletable, to: :record`

Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`def validate(record)`
			`@record = record`

Fixes #4838 - Data retention rules for cleanup users (or other objects) from the system with the scheduler Co-authored-by: Dominik Klein <dk@zammad.com> Co-authored-by: Dusan Vuckovic <dv@zammad.com> Co-authored-by: Florian Liebe <fl@zammad.com> Co-authored-by: Mantas Masalskis <mm@zammad.com> Co-authored-by: Rolf Schmidt <rolf.schmidt@zammad.com> Co-authored-by: Tobias Schäfer <ts@zammad.com> 2023-11-03 12:47:39 +00:00			`check_for_deletable_type`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`check_for_existing_task`
Fixes #4838 - Data retention rules for cleanup users (or other objects) from the system with the scheduler Co-authored-by: Dominik Klein <dk@zammad.com> Co-authored-by: Dusan Vuckovic <dv@zammad.com> Co-authored-by: Florian Liebe <fl@zammad.com> Co-authored-by: Mantas Masalskis <mm@zammad.com> Co-authored-by: Rolf Schmidt <rolf.schmidt@zammad.com> Co-authored-by: Tobias Schäfer <ts@zammad.com> 2023-11-03 12:47:39 +00:00			`check_for_user`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`end`

			`private`

Fixes #4838 - Data retention rules for cleanup users (or other objects) from the system with the scheduler Co-authored-by: Dominik Klein <dk@zammad.com> Co-authored-by: Dusan Vuckovic <dv@zammad.com> Co-authored-by: Florian Liebe <fl@zammad.com> Co-authored-by: Mantas Masalskis <mm@zammad.com> Co-authored-by: Rolf Schmidt <rolf.schmidt@zammad.com> Co-authored-by: Tobias Schäfer <ts@zammad.com> 2023-11-03 12:47:39 +00:00			`def check_for_deletable_type`
Fixes #3536 - Don't fail job is deletable_id is no longer available. 2021-06-02 11:37:57 +00:00			`return if !record.deletable_type_changed?`
Maintenance: Switch to Ruby 3.4.5 2025-08-06 06:17:01 +00:00			`return if [User, Ticket].any? { deletable.is_a?(it) }`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00
Maintenance: Improve DataPrivacyTask error messages 2023-11-22 15:41:08 +00:00			`record.errors.add(:base, __('Data privacy task allows to delete a user or a ticket only.'))`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`end`

Fixes #4838 - Data retention rules for cleanup users (or other objects) from the system with the scheduler Co-authored-by: Dominik Klein <dk@zammad.com> Co-authored-by: Dusan Vuckovic <dv@zammad.com> Co-authored-by: Florian Liebe <fl@zammad.com> Co-authored-by: Mantas Masalskis <mm@zammad.com> Co-authored-by: Rolf Schmidt <rolf.schmidt@zammad.com> Co-authored-by: Tobias Schäfer <ts@zammad.com> 2023-11-03 12:47:39 +00:00			`def check_for_user`
Fixes #3536 - Don't fail job is deletable_id is no longer available. 2021-06-02 11:37:57 +00:00			`return if !record.deletable_id_changed?`
Fixes #4838 - Data retention rules for cleanup users (or other objects) from the system with the scheduler Co-authored-by: Dominik Klein <dk@zammad.com> Co-authored-by: Dusan Vuckovic <dv@zammad.com> Co-authored-by: Florian Liebe <fl@zammad.com> Co-authored-by: Mantas Masalskis <mm@zammad.com> Co-authored-by: Rolf Schmidt <rolf.schmidt@zammad.com> Co-authored-by: Tobias Schäfer <ts@zammad.com> 2023-11-03 12:47:39 +00:00			`return if !deletable.is_a?(User)`

			`check_for_system_user`
			`check_for_current_user`
			`check_for_last_admin`
			`end`

			`def check_for_system_user`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`return if deletable.id != 1`

Maintenance: Improve DataPrivacyTask error messages 2023-11-22 15:41:08 +00:00			`record.errors.add(:base, __('It is not possible to delete the system user.'))`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`end`

			`def check_for_current_user`
			`return if deletable.id != UserInfo.current_user_id`

Maintenance: Improve DataPrivacyTask error messages 2023-11-22 15:41:08 +00:00			`record.errors.add(:base, __('It is not possible to delete your current account.'))`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`end`

			`def check_for_last_admin`
			`return if !last_admin?`

Maintenance: Improve DataPrivacyTask error messages 2023-11-22 15:41:08 +00:00			`record.errors.add(:base, __('It is not possible to delete the last account with admin permissions.'))`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`end`

			`def check_for_existing_task`
Fixes #3536 - Don't fail job is deletable_id is no longer available. 2021-06-02 11:37:57 +00:00			`return if !record.deletable_id_changed?`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`return if !tasks_exists?`

Maintenance: Improve DataPrivacyTask error messages 2023-11-22 15:41:08 +00:00			`record.errors.add(:base, __('Selected object is already queued for deletion.'))`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`end`

			`def tasks_exists?`
Fixes #4838 - Data retention rules for cleanup users (or other objects) from the system with the scheduler Co-authored-by: Dominik Klein <dk@zammad.com> Co-authored-by: Dusan Vuckovic <dv@zammad.com> Co-authored-by: Florian Liebe <fl@zammad.com> Co-authored-by: Mantas Masalskis <mm@zammad.com> Co-authored-by: Rolf Schmidt <rolf.schmidt@zammad.com> Co-authored-by: Tobias Schäfer <ts@zammad.com> 2023-11-03 12:47:39 +00:00			`DataPrivacyTask`
			`.where.not(id: record.id)`
			`.where.not(state: 'failed')`
			`.exists? deletable: deletable`
Fixes #2074 - Ability of deleting customers and / or all ticket at once. 2020-09-08 15:06:23 +00:00			`end`

			`def last_admin?`
			`return false if !deletable_is_admin?`

			`future_admin_ids.blank?`
			`end`

			`def future_admin_ids`
			`other_admin_ids - existing_jobs_admin_ids`
			`end`

			`def other_admin_ids`
			`admin_users.where.not(id: deletable.id).pluck(:id)`
			`end`

			`def deletable_is_admin?`
			`admin_users.exists?(id: deletable.id)`
			`end`

			`def existing_jobs_admin_ids`
			`DataPrivacyTask.where(`
			`deletable_id: other_admin_ids,`
			`deletable_type: 'User'`
			`).pluck(:deletable_id)`
			`end`

			`def admin_users`
			`User.with_permissions('admin')`
			`end`
			`end`