Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Delete a user from the admin interface #393

Open
jma opened this issue Feb 28, 2022 · 2 comments
Open

Delete a user from the admin interface #393

jma opened this issue Feb 28, 2022 · 2 comments

Comments

@jma
Copy link

jma commented Feb 28, 2022

Is your feature request related to a problem? Please describe.

An administrator can delete a user account from the administration interface.

Describe the solution you'd like

Basically a new delete button on the admin interface.

@lnielsen
Copy link
Member

It's tricky because it involves unsetting the user from many places and figuring out what is personal data and what's not. Here's some thoughts we've been working with in InvenioRDM (not all is relevant for this request):

User deletion

Initiator
User deletion can be initiated by either the user themselves or by an administrator of the system (or someone delegated by the administrator).

Conditions

A user can be deleted if:

  • They own no communities
  • They own no published records.
  • ...

If the user own either communities or published records the initiator must first either 1) remove themselves (possible if there's multiple owners 2) transfer ownership or 3) delete the owned entities.

User deletion request

A new request type could be setup to deal with the account deletion, so that a user e.g. could request deletion of an account. The new request would essentially amount to either an ownership transfer or deletion of owned items.

Requests, events and comments

  • Requests where the user is the creator will be cancelled.
  • Requests where the user is the only direct receiver will be declined.
  • Comments made on requests will be maintained.
  • The only information that will be persisted is the user identifier. All information linking a person to the identifier must be destroyed or sufficiently anonymised to prevent any possible future linking of the identifier with the person.

Institutional accounts

It should be possible to not activate the account deletion, as it has to be controlled from an external system. E.g. in an institutional context, the account deletion is on the identity provider, and not in InvenioRDM. The identity provider can the initiate the user deletion request.

@zguillen
Copy link

zguillen commented Jul 11, 2023

I found a delete_user api and attempted to call it myself but got the error, "AssertionError: Dependency rule tried to blank-out primary key column 'accounts_user_login_information.user_id' on instance '<LoginInformation at 0x7f0069e452e0>" Looks like the foreign key constraint isn't quite right perhaps?

Given this issue and the error I encountered it appears delete_user isn't fully implemented yet, is that right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants