Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow a user to delete their own account #2122

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Allow a user to delete their own account #2122

wants to merge 1 commit into from

Conversation

peregrineshahin
Copy link
Contributor

image

@peregrineshahin peregrineshahin force-pushed the allow_delete branch 10 times, most recently from e97d8cc to 5428051 Compare July 20, 2024 08:42
@vdbergh
Copy link
Contributor

vdbergh commented Jul 20, 2024

How about flagging the account as deleted, instead of deleting it from the database?

@peregrineshahin
Copy link
Contributor Author

How about flagging the account as deleted, instead of deleting it from the database?

Tests will not be deleted and shall be accessible with links as they are not user-url-encoded, although the test page of the user will not show their tests as it will give 404 after clicking their tests link from a test which is fine I think.
Removing the user from the database in case they wanted so, keeps the integrety of the website and is by today's standard not just security but also related to legal ramifications from GDPR and similar laws.

@ddobbelaere
Copy link

ddobbelaere commented Jul 20, 2024
edited
Loading

After the account is deleted, is it still possible (e.g. by somebody else) to reregister the same account name?

If so, this certainly does not feel right to me and means that there should be at least a list of past account names kept. But you might as well "flag" the account as deleted then (along with removing all possible personal data except the user name), as @vdbergh alludes to.

@peregrineshahin
Copy link
Contributor Author

After the account is deleted, is it still possible (e.g. by somebody else) to reregister the same account name?

If so, this certainly does not feel right to me and means that there should be at least a list of past account names kept. But you might as well "flag" the account as deleted then (along with removing all possible personal data except the user name), as @vdbergh alludes to.

That's not the only way to prevent impersonation, we can check for registeration on demand if there was any action related such username before.

@vondele
Copy link
Member

vondele commented Jul 21, 2024

some comments here that come to my mind... nothing definitive.

  • I do think we need to keep a trace of that user in the DB. The user handle is part of the logs / tests etc.
  • There need to be a mechanism to prevent misuse, e.g. create account, spam, delete account is probably not ideal. So, like we do for creation, I think it makes sense to require approval for deletion.
  • I think rather than deleting the user, I think removing user data associated with that field is the way to go (which I think is just the email, maybe the real name is provided as well).
  • We do need to make sure the user handle can't be recycled.

@peregrineshahin peregrineshahin marked this pull request as draft July 23, 2024 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@peregrineshahin @vdbergh @ddobbelaere @vondele