Moodle
  1. Moodle
  2. MDL-14248

Enabling users to delete their account

    Details

    • Database:
      Any
    • Testing Instructions:
      Hide

      Log in as admin, then as guest, then as a student.

      As each of those users go to your user profile. There should not be a link to delete your account.

      Directly navigate to /user/delete.php and you should get an error.

      As admin go to site admin > users > permissions > define roles and click the cog icon next to authenticated user. Allow moodle/user:deleteaccount.

      As admin and guest you still should not get a delete account link.

      As a student go to your own profile. You should now have a delete account link.

      Clicking it takes you to a confirmation screen. Clicking no should return you to your profile.

      Click delete my account, click yes, click continue. You should now be logged out and be unable to log back in.

      Show
      Log in as admin, then as guest, then as a student. As each of those users go to your user profile. There should not be a link to delete your account. Directly navigate to /user/delete.php and you should get an error. As admin go to site admin > users > permissions > define roles and click the cog icon next to authenticated user. Allow moodle/user:deleteaccount. As admin and guest you still should not get a delete account link. As a student go to your own profile. You should now have a delete account link. Clicking it takes you to a confirmation screen. Clicking no should return you to your profile. Click delete my account, click yes, click continue. You should now be logged out and be unable to log back in.
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_27_STABLE
    • Pull Master Branch:
      MDL-14248_delete_user

      Description

      I'm afraid, that users aren't able to delete their own account. In some countries, for example germany, this feature is obligatory due to german privacy laws, so that many many users would appreciate it, if this feature would be realized.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Helen Foster added a comment -

            Changing the security level to allow everyone to view the issue.

            Show
            Helen Foster added a comment - Changing the security level to allow everyone to view the issue.
            Hide
            Helen Foster added a comment -

            Just noting that there are often requests for moodle.org accounts to be deleted.

            Show
            Helen Foster added a comment - Just noting that there are often requests for moodle.org accounts to be deleted.
            Hide
            Andrew Davis added a comment - - edited

            Here is a rough initial implementation. I have added a new page that allows a user to delete their own account (and only their own account). Admin and guest cannot be deleted.

            It does work but a few decisions need to be made.

            1) How should users access this? Right now the only way to get to it is to type in the URL /user/delete.php. A link on /user/profile.php seems the most obvious spot but I'm not sure if we want it that prominent.

            2) How do we control access to this functionality? The 'moodle/user:delete' capability in the user's own context? A site setting that just turns on this functionality for all users? Right now any non-admin, non-guest user can delete their own account. This functionality will want to be unavailable by default but we will need to provide an easy way to turn it on.

            Show
            Andrew Davis added a comment - - edited Here is a rough initial implementation. I have added a new page that allows a user to delete their own account (and only their own account). Admin and guest cannot be deleted. It does work but a few decisions need to be made. 1) How should users access this? Right now the only way to get to it is to type in the URL /user/delete.php. A link on /user/profile.php seems the most obvious spot but I'm not sure if we want it that prominent. 2) How do we control access to this functionality? The 'moodle/user:delete' capability in the user's own context? A site setting that just turns on this functionality for all users? Right now any non-admin, non-guest user can delete their own account. This functionality will want to be unavailable by default but we will need to provide an easy way to turn it on.
            Hide
            Vinny Stocker added a comment -

            For me it would make sense as you've suggested on /user/profile.php - place the link it in the Administration block > My Profile settings (under Edit profile).
            Would it need a new capability? moodle/user:deleteownaccount then it could be applied to particular roles.

            Access could be turned on on this page admin/settings.php?section=userpolicies

            Just a few thoughts, there are plenty of ways it could be implemented.

            Show
            Vinny Stocker added a comment - For me it would make sense as you've suggested on /user/profile.php - place the link it in the Administration block > My Profile settings (under Edit profile). Would it need a new capability? moodle/user:deleteownaccount then it could be applied to particular roles. Access could be turned on on this page admin/settings.php?section=userpolicies Just a few thoughts, there are plenty of ways it could be implemented.
            Hide
            Petr Skoda added a comment - - edited

            This patch does not make much sense to me because you cannot just delete yoyr account - you would have to ask the auth plugin to make sure that the delete is actually possible, otherwise the account might be recreated immediatelly. Also there should be some grace period before the actual delete in my opinion, such as doing the actual delete in cron later or doing confirmation via email. I suppose it would be very usefull if admin could also confirm the pending deletes too. This might be actually implemeted as a new admi tool - I wish we had the hooks already so that it could hook itself into the profile page.

            Show
            Petr Skoda added a comment - - edited This patch does not make much sense to me because you cannot just delete yoyr account - you would have to ask the auth plugin to make sure that the delete is actually possible, otherwise the account might be recreated immediatelly. Also there should be some grace period before the actual delete in my opinion, such as doing the actual delete in cron later or doing confirmation via email. I suppose it would be very usefull if admin could also confirm the pending deletes too. This might be actually implemeted as a new admi tool - I wish we had the hooks already so that it could hook itself into the profile page.
            Hide
            Andrew Davis added a comment -

            Here is a somewhat updated version. A link appears on the user's own profile page if they have the new capability 'moodle/user:deleteaccount'. No one has the capability by default.

            The issue of the auth plugins is interesting. As far as I can see we aren't doing anything clever with bulk user deletion either. We just call delete_user($user) and its done.

            Show
            Andrew Davis added a comment - Here is a somewhat updated version. A link appears on the user's own profile page if they have the new capability 'moodle/user:deleteaccount'. No one has the capability by default. The issue of the auth plugins is interesting. As far as I can see we aren't doing anything clever with bulk user deletion either. We just call delete_user($user) and its done.
            Hide
            CiBoT added a comment -

            Fails against automated checks.

            Checked MDL-14248 using repository: https://github.com/andyjdavis/moodle.git

            More information about this report

            Show
            CiBoT added a comment - Fails against automated checks. Checked MDL-14248 using repository: https://github.com/andyjdavis/moodle.git master (branch: MDL-14248_delete_user | CI Job ) Error: The MDL-14248 _delete_user branch at https://github.com/andyjdavis/moodle.git does not apply clean to master More information about this report
            Hide
            Petr Skoda added a comment -

            Auth is very important - the deleting elsewhere is done by admins that are supposed to know a lot more, you cannot just let anybody delete their account, sorry. Another issue is that the Moodle way of deleting accounts keeps all the public data visible - users want to get rid of public data, not just ability to log-in to the site.

            In any case 'contextlevel' => CONTEXT_SYSTEM is wrong level for user related capability and the capability name is confusing.

            Show
            Petr Skoda added a comment - Auth is very important - the deleting elsewhere is done by admins that are supposed to know a lot more, you cannot just let anybody delete their account, sorry. Another issue is that the Moodle way of deleting accounts keeps all the public data visible - users want to get rid of public data, not just ability to log-in to the site. In any case 'contextlevel' => CONTEXT_SYSTEM is wrong level for user related capability and the capability name is confusing.
            Hide
            Sam Hemelryk added a comment -

            Hi Andrew,

            I've been having a look at this and have noted the following:

            1. Sesskey should be validated at both steps (the link and the confirmation) for security.
            2. Petr mentioned the idea of a grace period or admin confirmation. I also think that there needs to be some better method of ensuring the user hasn't arrived here be accident or actions of malice. Personally I think cron based deletion 24 hours after request to delete, cancelled by the user logging in again after the request, or manually by admin. This is quite common I've encountered this on several sites myself and I feel this would be the single best solution.
            3. Petr also mentioned the issue of auth plugins, this is definitely something worth dealing with. Most plugins will instantly recreate the user account next time cron runs so only allowing deletion of the account if the users auth method supports it would be a confusion saving move. I don't believe we have any API for checking this presently, until now it has only been an administration task and I suppose we trusted them to know how there system worked. As this is a feature you must turn on perhaps it is something that can be added in a secondary issue, either way I think it is very worthwhile considering it and I don't imagine it would take too long to code.
            4. On the confirmation page there should be a better description of what this means. Of course if the above is done that process should be described. If it is left as is it should explain that the action is immediate and that there is no way to recover you account, after this happens you're out.
            5. I believe the Yes and No buttons should be the other way round, the Yes should be on the right . Perhaps for usability it should be coloured as well (the backup buttons were handled like this for example) see theme/bootstrapbase/less/expandable.less line 86. In this case perhaps colouring it red would be better as its an exceptional action.
            6. The user/delete.php page should be set up better:
              • $PAGE->set_title() perhaps something like fullname(): confirm delete
              • $PAGE->set_heading() I'd make this the confirmation string
              • Change the in page heading to something like fullname() are you sure you want to delete your account?
              • Do we want blocks on this page? If so perhaps set page layout to admin.

            Cheers
            Sam

            Show
            Sam Hemelryk added a comment - Hi Andrew, I've been having a look at this and have noted the following: Sesskey should be validated at both steps (the link and the confirmation) for security. Petr mentioned the idea of a grace period or admin confirmation. I also think that there needs to be some better method of ensuring the user hasn't arrived here be accident or actions of malice. Personally I think cron based deletion 24 hours after request to delete, cancelled by the user logging in again after the request, or manually by admin. This is quite common I've encountered this on several sites myself and I feel this would be the single best solution. Petr also mentioned the issue of auth plugins, this is definitely something worth dealing with. Most plugins will instantly recreate the user account next time cron runs so only allowing deletion of the account if the users auth method supports it would be a confusion saving move. I don't believe we have any API for checking this presently, until now it has only been an administration task and I suppose we trusted them to know how there system worked. As this is a feature you must turn on perhaps it is something that can be added in a secondary issue, either way I think it is very worthwhile considering it and I don't imagine it would take too long to code. On the confirmation page there should be a better description of what this means. Of course if the above is done that process should be described. If it is left as is it should explain that the action is immediate and that there is no way to recover you account, after this happens you're out. I believe the Yes and No buttons should be the other way round, the Yes should be on the right . Perhaps for usability it should be coloured as well (the backup buttons were handled like this for example) see theme/bootstrapbase/less/expandable.less line 86. In this case perhaps colouring it red would be better as its an exceptional action. The user/delete.php page should be set up better: $PAGE->set_title() perhaps something like fullname(): confirm delete $PAGE->set_heading() I'd make this the confirmation string Change the in page heading to something like fullname() are you sure you want to delete your account? Do we want blocks on this page? If so perhaps set page layout to admin . Cheers Sam
            Hide
            Helen Foster added a comment -

            Just noting a plugin which enables users who self-registered to delete their account:
            https://moodle.org/plugins/view.php?plugin=local_goodbye

            Show
            Helen Foster added a comment - Just noting a plugin which enables users who self-registered to delete their account: https://moodle.org/plugins/view.php?plugin=local_goodbye

              People

              • Votes:
                8 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated: