GDPR Compliant erasure requests

app/apps/accounts/views.py

@@ -1,16 +1,37 @@
-from django.contrib.auth.decorators import login_required
-from django.shortcuts import render
 from django.conf import settings
-from django.shortcuts import redirect
-from django.contrib.auth import views as auth_views
 from django.contrib.auth import logout
+from django.contrib.auth import views as auth_views
+from django.contrib.auth.decorators import login_required
+from django.shortcuts import redirect, render
+
+from .forms import ErasureRequestForm
+from .models import ErasureRequest
 
 
 @login_required(login_url="/accounts/login/")
 def profile(request):
+  erasure_request = (
+    ErasureRequest.objects.filter(user=request.user).order_by("-requested_at").first()
+  )
+  if request.method == "POST":
+    form = ErasureRequestForm(request.POST)
+    if form.is_valid():
+      if erasure_request and erasure_request.status == ErasureRequest.Status.PENDING:
+        form.add_error(None, "You already have a pending erasure request.")
+      else:
+        ErasureRequest.objects.create(
+          user=request.user,
+          reason=form.cleaned_data["reason"].strip(),
+        )
+        return redirect("accounts:profile")
+  else:
+    form = ErasureRequestForm()
+
   context = {
     "user": request.user,
     "auth_mode": getattr(settings, "KEYWARDEN_AUTH_MODE", "hybrid"),
+    "erasure_request": erasure_request,
+    "erasure_form": form,
   }
   return render(request, "accounts/profile.html", context)
 
@@ -26,4 +47,3 @@ def login_view(request):
 def logout_view(request):
   logout(request)
   return redirect(getattr(settings, "LOGOUT_REDIRECT_URL", "/"))
-