Add initial support for user deletion request

[joelverhagen]

Progress on https://github.com/NuGet/Engineering/issues/921.

The changes were getting big so I stopped and made a PR. Hopefully easier to review.

This PR:

1. Update the "report my package" form to support a new hidden drop-down (delete decision) and confirmation checkbox.
2. Add new notification message so that all owners know a version was deleted.
3. Add method to IPackageDeleteService to determine if a package can be deleted. It always returns false right now.
4. Add logic to soft delete the package and auto-close the support request.

TODO:

1. Implement "can I delete this?" logic.
2. Introduce configuration for the aforementioned logic.
3. Functional test (hopefully)

Without these TODOs, the new code paths introduced by this PR will not be available yet.

[chenriksson]

Does this mean that lack of permissions is going to result in the same UI validation error for when a delete decision wasn't provided?

[joelverhagen]

In this case, the UI will behave as if the delete decision UI was hidden. Really, the user should never get into this case because the UI doesn't allow it. The missing delete decision validation error only occurs if allowDelete is true (which is not the case here).

[chenriksson]

Will the user receive a message that the support request was sent?

[joelverhagen]

deleted will still be false so we will show the "support request sent" message as usual.

[chenriksson]

There's also a HtmlExtensions class. Maybe we should move these HtmlHelper extensions there?

[joelverhagen]

Hm, good point. I'll take a look at that.

[joelverhagen]

It looks like this is a big mess already. I will create an issue to clean this up.
#5015

[skofman1]

can you attach screenshots?

[joelverhagen]

Select a reason

After choosing a delete reason

After choosing the delete decision

After choosing the contact support decision

After deleted

[skofman1]

do we need to evaluate CanPackageBeDeletedByUserAsync is DeleteDecision is not DeletePackage? If the user just wants to contact support we are doing unnecessary work here.

[joelverhagen]

Great point, no we don't.

[joelverhagen]

Fixed.

[skofman1]

automatic package deletion

[joelverhagen]

Fixed. Good point.

[skofman1]

when will AddNewSupportRequestAsync return null?

[joelverhagen]

If the commit to the support request DB fails. This is existing logic in the support request service.

[skofman1]

this method is to big. Can you split it to smaller methods?

[joelverhagen]

Sure!

[joelverhagen]

Fixed.

[skofman1]

I know this controller doesn't do much use of Strings, but perhaps it time to start?

[joelverhagen]

Sure!

[joelverhagen]

Fixed.

[skofman1]

Are the permissions required for reporting a package are the same as for deleting a package? Do we need a special check for the later?

[joelverhagen]

Same permissions. The keyword here is "My" in "ReportMyPackage".

[skofman1]

🕐

[skofman1]

[scottbommarito]

woops, looks like i missed the bell

[scottbommarito]

I would add some comments on what these are for.

/// <summary>
/// Reasons that users can select when reporting abuse by a package they do not own.
/// </summary>
private static readonly IReadOnlyList<ReportPackageReason> ReportAbuseReasons = new[] { ... }

/// <summary>
/// Reasons that users can select when reporting their own package.
/// </summary>
private static readonly IReadOnlyList<ReportPackageReason> ReportMyPackageReasons = new[] { ... }

/// <summary>
/// Subset of <see cref="ReportMyPackageReasons"/> that suggests a user would like to delete a package.
/// </summary>
private static readonly IReadOnlyList<ReportPackageReason> DeleteReasons = new[] { ... }

[joelverhagen]

Yeah, good idea. Thanks for doing the work for me 😉

[scottbommarito]

I know this isn't related to this PR, but shouldn't MVC do this encoding for us?

If it's needed, we should have a comment describing why.

[joelverhagen]

Out of scope of this PR. I think we are encoding it since it makes its way into the email system.

[scottbommarito]

1 - This should be in Strings.resx
2 - We should be more verbose here: for example, "A signature is required when submitting a copyright violation request."

[joelverhagen]

Yes, that should be in Strings.

The context of the UI negates the need for verbosity. If the message field is visible, it is required.

[scottbommarito]

same as above: shouldn't MVC do the encoding for us?

[joelverhagen]

See above.

[scottbommarito]

Seems really odd to me that we are changing the form here. It also made the logic more confusing for me.

If someone specifies they would like to delete their package, shouldn't we either
1 - return an error message that says they package does not meet the criteria
2 - keep the deletion state so that the on-call can see it in the support request

Regardless, there should be a comment on this line describing what we are doing.

[joelverhagen]

1 - return an error message that says they package does not meet the criteria

Why show an error message? The only way this can happen is if someone is fiddling with the request or if they get the form while the package can be deleted and only submit it after the package can't be deleted. We shouldn't put extra effort into these cases.

2 - keep the deletion state so that the on-call can see it in the support request

The deletion state shouldn't even be persisted in this case. It's a bad request which should be rejected early on.

Regardless, there should be a comment on this line describing what we are doing.

Sounds good.

[scottbommarito]

If the user attempts to the delete the package, why are we creating a support request?

Seems unnecessary. We should just delete it and if it fails, then create the request. Probably makes this code simpler because we don't need to pass around this support request object.

Also, it's very odd to be creating support requests we don't get emails for.

[joelverhagen]

This is to track the auto-delete in a way the PMs asked for.

[scottbommarito]

nit: user's -> users

[scottbommarito]

To keep the same phrasing, this I will not be able to upload a new package with the same version. or something similar might be better.

[joelverhagen]

Yeah, I like that better too.

[scottbommarito]

Can consolidate this into a helper message to be used in a number of these other tests

private void AssertContainsMessage(PackagesController controller, string message)
{
    Assert.Contains(message, _controller.ModelState.Values.SelectMany(x => x.Errors).Select(x => x.ErrorMessage));
}

[joelverhagen]

Sure.

[scottbommarito]

two thoughts:

1 - we should make this run on all members of PackagesController.DeleteReasons
2 - if we are concerned about the members of PackageController.DeleteReasons changing, then there should be tests for that

[joelverhagen]

Kind of out of scope, as there was no pre-existing validation on which reasons were being sent, but I'll add tests for it.

[joelverhagen]

@scottbommarito, I will address these comments in a follow-up PR.