Account deletion feature

[iambibhas]

We discussed it and decided that we won't actually delete any content from the site, but when users opt-in to "delete" their accounts, we'll replace their personally identifiable data like names with [deleted], remove emails and disable their accounts. This ticket lists all the things needed to accomplish this -

1. Replace user's full name with [deleted]
2. release the username, replace with something random
3. delete emails linked to the account (need more detailed steps)
4. disable account so nobody can login with it
5. de-link external IDs, phone numbers
6. revoke all active memberships
7. check user's deleted/disabled state inside Comment.user along with comment's state
8. any unread notifications pointing to the user needs to be revoked?
9. remove user from all organizations
10. what else?

[jace]

All personal data of a user has to be deleted. This includes:

1. UserEmail/UserEmailClaim
2. UserPhone/UserPhoneClaim
3. Profile (no random usernames)

This will cascade to anything owned by a profile (currently Project), and presents a problem there as projects are collaborative spaces and hold the data of other users. The first cut of user deletion will only work when the profile is empty.

We have a separate "convert user account into organization" ticket for orgs that registered as users. That feature will have to be used to appoint collaborators and release a profile from the user account.

[jace]

As a destructive action, this also needs safeguards. One of:

1. Temporary suspension that the user can undo if they change their mind (Twitter has this)
2. Actual delete, but send the user a signed packet of data that can be restored with one upload (somewhat dangerous due to possible conflicts when data is exclusive, like an email address)
3. Gating against hijacks, such as requiring an email or SMS-based confirmation
4. Backend-only Locked state on a user account, preventing deletion attempts