Entities deletion and media cleanup (#664)

* Communities data is cleaned up on delete

* Product cleanup fixed

* User and Community deletion; Card based UI for edit user and profile screens;

* Fixed test cases

* CodeQL fixes

* Added tests around deleting product

* CodeQL fixes

---------

Co-authored-by: Rajat <hi@rajatsaxena.dev>

Author: rajat1saxena

.cursor/rules/basics.mdc

@@ -7,4 +7,5 @@ alwaysApply: true
 - Command for running script in a workspace: `pnpm --filter <workspace> <command>`.
 - Command for running tests: `pnpm test`.
 - The project uses shadcn for building UI so stick to its conventions and design.
-- In `apps/web` workspace, create a string first in `apps/web/config/strings.ts` and then import it in the `.tsx` files, instead of using inline strings.
+- In `apps/web` workspace, create a string first in `apps/web/config/strings.ts` and then import it in the `.tsx` files, instead of using inline strings.
+- When working with forms, always use refs to keep the current state of the form's data and use it to enable/disable the form submit button.

apps/docs/public/assets/communities/delete-community.png

@@ -79,6 +79,7 @@ export const SIDEBAR: Sidebar = {
                 text: "Unlock additional products",
                 link: "en/communities/grant-access-to-additional-products",
             },
+            { text: "Delete a community", link: "en/communities/delete" },
         ],
         "Email marketing and automation": [
             { text: "Introduction", link: "en/email-marketing/introduction" },
@@ -122,6 +123,7 @@ export const SIDEBAR: Sidebar = {
             { text: "User permissions", link: "en/users/permissions" },
             { text: "Filter users", link: "en/users/filters" },
             { text: "Segment users", link: "en/users/segments" },
+            { text: "Delete a user", link: "en/users/delete" },
         ],
         Developers: [
             { text: "Introduction", link: "en/developers/introduction" },

apps/docs/public/assets/users/delete-user.png

@@ -0,0 +1,201 @@
+---
+title: Delete a Community
+description: Guide to safely deleting communities and all associated data
+layout: ../../../layouts/MainLayout.astro
+---
+
+Deleting a community is a permanent operation that removes the community and all its associated data from your school. This includes all posts, comments, members, and payment plans.
+
+> **Important**: Community deletion is permanent and cannot be undone. All community content, memberships, and payment plans will be permanently removed.
+
+## How Community Deletion Works
+
+When you delete a community, CourseLit performs a comprehensive cleanup:
+
+1. **Content Deletion**: Removes all posts, comments, and reports
+2. **Membership Cleanup**: Cancels all memberships and payment plans
+3. **Page Removal**: Deletes the community's public page
+4. **Media Cleanup**: Removes all associated media files
+5. **Community Document**: Deletes the community itself
+
+## Prerequisites
+
+To delete a community, you must have the `Manage Community` permission.
+
+> **Note**: Even community moderators cannot delete a community. Only users with the `Manage Community` permission (typically site admins) can perform this operation.
+
+## Deleting a Community
+
+1. Navigate to the **Communities** area from your admin dashboard
+2. Select the community you want to delete
+3. Click on **Manage** to open settings
+4. Scroll down to the Danger zone and click on **Delete Community** button
+
+    ![Delete community](/assets/communities/delete-community.png)
+
+5. Confirm the deletion when prompted
+
+## What Gets Deleted
+
+### Community Content
+
+All content within the community is permanently removed:
+
+- **Posts**: All posts created in the community
+- **Comments**: All comments on posts, including nested replies
+- **Reports**: All content reports filed by members
+- **Media**: All images, videos, and files uploaded to posts (when media uploads are enabled)
+
+### Memberships & Subscriptions
+
+All membership-related data is removed:
+
+- **Community Memberships**: All member records for the community
+- **Payment Subscriptions**: All active subscriptions are automatically cancelled
+- **Payment Plans**: All payment plans associated with the community
+- **Included Product Memberships**: If the community's payment plans included access to courses, those memberships are also removed
+- **Post Subscriptions**: All user subscriptions to community posts
+
+### Community Infrastructure
+
+The community's infrastructure is removed:
+
+- **Community Page**: The public-facing community page
+- **Community Settings**: All configuration and settings
+- **Categories**: All community categories
+- **Featured Images**: Community banner and featured images
+
+### Related Data
+
+Additional data associated with the community:
+
+- **Activities**: Activity logs related to payment plan enrollments
+- **Notifications**: Notifications related to the community (for members)
+
+## What Happens to Members
+
+When a community is deleted:
+
+1. **Active Subscriptions**: All payment subscriptions are automatically cancelled through your payment provider (Stripe, PayPal, etc.)
+2. **Membership Records**: All membership records are permanently deleted
+3. **Access Revoked**: Members immediately lose access to the community
+4. **Included Products**: If members had access to courses through the community's payment plan, that access is also revoked
+
+## Payment Plan Considerations
+
+### Subscription Cancellations
+
+- All active subscriptions are cancelled automatically
+- Payment providers (Stripe, PayPal, etc.) are notified
+- No further charges will occur
+- Members will not receive refunds automatically
+
+### Included Products
+
+If your community's payment plans [included access to courses](/en/communities/grant-access-to-additional-products) or other products:
+
+- All memberships to those products (activated through the community plan) are removed
+- Activity logs for those memberships are deleted
+- Direct purchases of those products (not through the community) are not affected
+
+## Media Cleanup
+
+The deletion process handles media files appropriately:
+
+- **Community Images**: Featured images and banners are deleted
+- **Post Media**: When media uploads are enabled, all media from posts is deleted
+- **User Avatars**: Not affected (user avatars are tied to user accounts, not communities)
+
+> **Note**: Currently, media uploads in community posts are not enabled. When this feature is activated, the deletion process will handle post media cleanup automatically.
+
+## Safety Measures
+
+CourseLit implements safety measures to ensure proper deletion:
+
+1. **Permission Check**: Only users with `Manage Community` permission can delete
+2. **Confirmation Required**: Deletion requires explicit confirmation
+3. **Atomic Operation**: The entire deletion succeeds or fails as a unit
+4. **Subscription Cancellation**: Automatic cancellation prevents future charges
+
+## Before Deleting a Community
+
+Consider these steps before deleting:
+
+1. **Notify Members**: Inform community members about the upcoming deletion
+2. **Export Data**: If you need to preserve any content, export it manually. Only works for self-hosted installations.
+3. **Handle Refunds**: Process any necessary refunds through your payment provider
+4. **Alternative Actions**: Consider making the community private instead of deleting it
+
+## After Deletion
+
+After a community is deleted:
+
+- The community page returns a 404 error
+- Members cannot access the community anymore
+- All content is permanently lost
+- Payment subscriptions are cancelled
+- The community name becomes available for reuse
+
+## Handling Refunds
+
+Community deletion does not automatically issue refunds. To handle refunds:
+
+1. **Before Deletion**: Note all active subscriptions and their subscription IDs
+2. **Access Payment Provider**: Log into your Stripe, PayPal, or other payment provider dashboard
+3. **Process Refunds**: Manually issue refunds as appropriate
+4. **Delete Community**: Once refunds are processed, proceed with deletion
+
+## Alternative to Deletion
+
+If you want to preserve content but stop new members from joining:
+
+1. **Disable the Community**: Toggle the community to "disabled" in settings
+2. **Remove Payment Plans**: Archive all payment plans
+
+This approach preserves content while preventing new access.
+
+## Troubleshooting
+
+### Cannot Delete Community
+
+If you encounter errors:
+
+- **"Action not allowed"**: You don't have the `Manage Community` permission
+- **"Item not found"**: The community may have already been deleted or doesn't exist
+- **"Community not found"**: You may not have access to this community
+
+### Subscription Cancellation Issues
+
+If subscriptions fail to cancel:
+
+1. Manually cancel subscriptions in your payment provider's dashboard
+2. Contact support if issues persist
+
+### Partial Deletion
+
+If deletion fails partway through:
+
+- The operation is designed to be atomic, but in rare cases, partial deletion may occur
+- Contact support with error details
+- Manual cleanup may be required
+
+## Best Practices
+
+1. **Communicate Early**: Give members advance notice before deletion
+2. **Export Important Content**: Save any valuable discussions or content
+3. **Process Refunds First**: Handle refunds before deleting to maintain records
+4. **Document the Decision**: Keep records of why and when the community was deleted
+5. **Consider Alternatives**: Evaluate if disabling is sufficient instead of deletion
+
+## GDPR and Data Protection
+
+Community deletion helps with data protection compliance:
+
+- All member data within the community is removed
+- Personal information in posts and comments is deleted
+- Membership records are permanently erased
+- The operation can be part of a broader data cleanup strategy
+
+## Stuck somewhere?
+
+We are always here for you. Come chat with us in our <a href="https://discord.com/invite/GR4bQsN" target="_blank">Discord</a> channel or send a tweet at <a href="https://twitter.com/courselit" target="_blank">@CourseLit</a>.

apps/docs/src/config.ts

@@ -0,0 +1,169 @@
+---
+title: Delete a User
+description: Guide to safely deleting users with GDPR compliance
+layout: ../../../layouts/MainLayout.astro
+---
+
+Deleting a user is a critical operation that removes all personal data associated with that user from your school. This feature is designed to comply with GDPR and other data protection regulations.
+
+> **Important**: User deletion is permanent and cannot be undone. All personal data will be removed, and business entities will be transferred to the admin performing the deletion.
+
+## How User Deletion Works
+
+When you delete a user, CourseLit performs two main operations:
+
+1. **Business Entity Migration**: Transfers ownership of courses, communities, email templates, and other business-critical resources to the admin performing the deletion
+2. **Personal Data Cleanup**: Permanently removes all personal data associated with the user
+
+## Prerequisites
+
+To delete a user, you must have the `Manage Users` permission. Additionally:
+
+- You cannot delete yourself
+- You cannot delete the last user with critical permissions (like `Manage Site`, `Manage Users`, etc.)
+- The system ensures at least one admin remains with each critical permission
+
+## Deleting a User
+
+1. Navigate to the **Users** area from the dashboard
+2. Click on the user you want to delete to open their details
+3. Scroll down to the Danger zone and click on **Delete user** button
+
+    ![Delete user](/assets/users/delete-user.png)
+
+4. Confirm the deletion when prompted
+
+## What Gets Migrated
+
+The following business entities are transferred to the admin performing the deletion:
+
+### Courses & Content
+
+- **Course Ownership**: All courses created by the user
+- **Lesson Ownership**: All lessons created by the user
+- **Page Ownership**: All pages created by the user (course pages, blog pages, etc.)
+
+### Communities
+
+- **Community Ownership**: All communities created by the user
+- **Community Posts**: All posts created by the user in any community
+- **Community Comments**: All comments made by the user
+
+### Email Marketing
+
+- **Email Templates**: All email templates created by the user
+- **Email Sequences**: All email sequences (campaigns) created by the user
+- **Broadcasts**: All email broadcasts created by the user
+
+### Other Business Entities
+
+- **Payment Plans**: All payment plans created by the user
+- **User Themes**: All custom themes created by the user
+- **User Segments**: All user segments created by the user
+
+## What Gets Deleted
+
+The following personal data is permanently removed:
+
+### User Account & Profile
+
+- User account and profile information
+- User avatar and media files
+- Authentication tokens and sessions
+
+### Activity & Engagement
+
+- Course enrollments and memberships
+- Lesson progress and evaluations
+- Download links generated for the user
+- Activity logs and analytics data
+- Notifications sent to the user
+
+### Community Participation
+
+- Community membership records
+- Community post subscriptions
+- Community reports filed by the user
+
+### Email & Communications
+
+- Email delivery records
+- Email event logs (opens, clicks, etc.)
+- Ongoing email sequences for the user
+- Mail request status records
+
+### Financial Records
+
+- Invoices associated with the user
+- Payment subscriptions (cancelled automatically)
+
+### Certificates
+
+- Certificates issued to the user
+
+## GDPR Compliance
+
+This deletion process is designed to comply with GDPR Article 17 (Right to Erasure). When a user is deleted:
+
+- All personal data is permanently removed
+- Business entities are preserved to maintain system integrity
+- The operation is logged for audit purposes
+- Payment subscriptions are automatically cancelled
+
+## Safety Measures
+
+CourseLit implements several safety measures to prevent accidental data loss:
+
+1. **Permission Validation**: Ensures at least one user retains each critical permission
+2. **Self-Deletion Prevention**: You cannot delete your own account
+3. **Confirmation Required**: Deletion requires explicit confirmation
+4. **Atomic Operation**: The entire deletion process succeeds or fails as a unit
+
+## After Deletion
+
+After a user is deleted:
+
+- All their business entities (courses, communities, etc.) continue to function normally under the new owner
+- Students enrolled in their courses can continue learning
+- Community members can continue participating
+- Email sequences continue running for other users
+- The deleted user cannot log in anymore
+
+## Handling Subscription Cancellations
+
+If the deleted user had active payment subscriptions:
+
+- All subscriptions are automatically cancelled
+- The payment provider (Stripe, PayPal, etc.) is notified
+- No further charges will occur
+- Refunds must be handled manually through your payment provider if needed
+
+## Best Practices
+
+1. **Review Before Deletion**: Check what content and entities the user owns before deleting
+2. **Notify Stakeholders**: If the user created important courses or communities, inform relevant team members
+3. **Export Data First**: If you need to retain any information for records, export it before deletion
+4. **Handle Refunds**: Process any necessary refunds through your payment provider before deletion
+5. **Document the Action**: Keep a record of why and when the user was deleted for compliance purposes
+
+## Troubleshooting
+
+### Cannot Delete User
+
+If you encounter an error when trying to delete a user:
+
+- **"Cannot delete last user with permission X"**: This user is the last one with a critical permission. Assign this permission to another user first.
+- **"Action not allowed"**: You don't have the `Manage Users` permission.
+- **"User not found"**: The user may have already been deleted or doesn't exist.
+
+### Subscription Cancellation Failed
+
+If a subscription fails to cancel:
+
+1. Note the subscription ID from the error message
+2. Manually cancel the subscription in your payment provider's dashboard
+3. Try the deletion again
+
+## Stuck somewhere?
+
+We are always here for you. Come chat with us in our <a href="https://discord.com/invite/GR4bQsN" target="_blank">Discord</a> channel or send a tweet at <a href="https://twitter.com/courselit" target="_blank">@CourseLit</a>.