Can't remove invalid users from crate owners

[carols10cents]

This is similar to #1818 but for users.

What happened

• A user had a GitHub account named, let's say, foo.
• Another user someone_else added them as an owner of a crate
• foo deleted their GitHub account (but crates.io has no real knowledge of this)
• foo recreated their GitHub account with the same username (because it was still available), but in this situation GitHub assigns them a new ID
• When foo now logs in to crates.io, it's a different account than their old foo crates.io account because of the new GitHub ID (and if it wasn't, this would be a security problem)
• The new foo account is NOT an owner of the crate
• someone_else can't add the new foo account as an owner, nor can they remove the old foo as an owner :(

What should happen

• Removing an owner, whether it's valid/current or not, should always work (if performed by another valid owner, etc)
• Once that removal works, it should be possible to add the new account as an owner

[sgrif]

This is slightly different framing, but almost the same as #1585

[sgrif]

#1586 would also let us manually resolve this problem when we're aware of it (but that PR does not currently automatically mark users as deleted in the cases where we could detect it -- which in this case we could have). It needs some work to get up to date, but is something I can update if that approach is considered worthwhile

[dmntk]

I am currently having this problem with my crates. I would love to contribute to crates.io and fix it, but I have no idea where to start. Is there any possibility, that someone points the starting source code where to start looking for the functionality that removes an owner? Thanks in advance for help!

[EngosSoftware]

Maybe here in src/models/krate.rs:

 pub fn owner_remove(
        &self,
        app: &App,
        conn: &mut PgConnection,
        req_user: &User,
        login: &str,
    ) -> AppResult<()> {
        let owner = Owner::find_or_create_by_login(app, conn, req_user, login)?;

        let target = crate_owners::table.find((self.id(), owner.id(), owner.kind()));
        diesel::update(target)
            .set(crate_owners::deleted.eq(true))
            .execute(conn)?;
        Ok(())
    }

???