Split “delete all posts and topics allowed groups” into own-content and global-content permissions

Contribute Feature
, , , ,
1

I would like to suggest splitting the delete all posts and topics allowed groups setting into narrower permissions.

At the moment, the setting is broad: it allows selected groups to delete posts and topics created by other users, and also to see deleted posts/topics. That makes sense for moderators or trusted moderation groups, but it is too powerful for a use case where I only want users to have stronger control over their own content.

To clarify, I do not mean permanent deletion/hard deletion from the database.

I am mainly asking about the ordinary user-facing deletion/revision-history behaviour: for example, when a user deletes their own post, whether it leaves the usual deleted-post placeholder, whether previous edit content remains accessible through the revision-history UI, and whether there could be a narrower permission for managing that on a user’s own posts only.

A possible split could be:

  1. delete own posts and topics allowed groups
  2. delete all posts and topics allowed groups

The first setting would only apply to content authored by the current user. The second setting would keep the current wider behaviour for groups that are trusted to delete other users’ content and see deleted content.

This would make it easier to follow least-privilege role design. For example, a site might want TL4/Leader users, or a custom trusted group, to have more control over deleting their own posts/topics without also granting them moderation-like power over other users’ content.

I realise there would need to be safeguards, especially where deleting the first post would affect a topic containing other users’ replies. In those cases, Discourse could keep the current restriction, require moderator intervention, or limit the own-content permission to replies/topics without replies.

The main request is for an own-content deletion/revision-history permission that is separate from the current global delete permission, so admins do not have to choose between ordinary user soft deletion and a much broader “can delete other users’ posts/topics” permission.

Clarify wording of “delete removed posts after” setting
2

I think part of the confusion here is that there may be a distinction between different “see deleted content” checks.

Looking at PostGuardian, an individual deleted post does not appear to become visible through can_see_post? merely because the user is in delete_all_posts_and_topics_allowed_groups.

For example, individual deleted-post visibility seems to go through:

def can_see_deleted_post?(post)
  return false if !post.trashed?
  return false if @user.anonymous?
  return true if is_staff?
  post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4])
end

So a non-staff TL2 user in delete_all_posts_and_topics_allowed_groups would not necessarily be able to open/read every deleted post body via can_see_post?.

However, the same setting is also used here:

def can_see_deleted_posts?(category = nil)
  is_category_group_moderator?(category) ||
    @user.in_any_groups?(SiteSetting.delete_all_posts_and_topics_allowed_groups_map)
end

That means the setting is still conceptually broader than just “author can withdraw their own content”. It appears to be used both for deleting other users’ visible posts and for at least some deleted-post visibility/listing affordances.

So my concern is less “this setting definitely exposes every deleted post body in every endpoint”, and more that the current permission combines several concepts:

  1. deleting other users’ posts/topics;
  2. seeing or listing deleted posts/topics in some contexts;
  3. giving authors more control over their own footprint.

For my use case, I would only want the third one.

That is why I think an own-content setting would be cleaner. It could allow a user to delete/withdraw their own posts/topics, subject to existing safeguards, without granting broader moderation-like permissions over other users’ content or deleted-content visibility.

3

To clarify the UI behaviour I would want: I am not asking for deleted content to become visible to ordinary users.

For an own-content deletion permission, the ideal behaviour would be viewer-sensitive:

  • the author can see that their own post has been withdrawn/deleted, perhaps in the usual red deleted-post styling or collapsed state, so they understand what happened and can recover it if recovery is allowed;
  • staff/moderators retain whatever audit and moderation visibility is appropriate;
  • ordinary users should see no trace of the deleted content at all - no post body, no revision history, and ideally no deleted-post placeholder.

So the distinction I am asking for is author control over their own visible footprint, without giving non-staff users deleted-content visibility or global power over other users’ posts/topics.

4

One extra nuance is revision history.

From looking at PostRevisor, edit history is stored separately through PostRevision, so I am not suggesting that an own-content deletion permission should necessarily hard-delete revision records or remove auditability.

The permission I am imagining is more about ordinary user-facing visibility: whether the author can withdraw their own post/topic, whether the deleted-post placeholder remains, whether ordinary users can view previous edit content, and whether staff/moderators retain whatever audit/moderation access is appropriate (e.g via the “VIEW N HIDDEN REPLY”)

So the split I am asking for is not:

  • “let users erase all traces from the database”

but rather:

  • “let users have more control over their own visible content/footprint”
  • without also granting them global powers to delete other users’ content or see deleted content generally.