I think part of the confusion here is that there may be a distinction between different “see deleted content” checks.
Looking at PostGuardian, an individual deleted post does not appear to become visible through can_see_post? merely because the user is in delete_all_posts_and_topics_allowed_groups.
For example, individual deleted-post visibility seems to go through:
def can_see_deleted_post?(post)
return false if !post.trashed?
return false if @user.anonymous?
return true if is_staff?
post.deleted_by_id == @user.id && @user.has_trust_level?(TrustLevel[4])
end
So a non-staff TL2 user in delete_all_posts_and_topics_allowed_groups would not necessarily be able to open/read every deleted post body via can_see_post?.
However, the same setting is also used here:
def can_see_deleted_posts?(category = nil)
is_category_group_moderator?(category) ||
@user.in_any_groups?(SiteSetting.delete_all_posts_and_topics_allowed_groups_map)
end
That means the setting is still conceptually broader than just “author can withdraw their own content”. It appears to be used both for deleting other users’ visible posts and for at least some deleted-post visibility/listing affordances.
So my concern is less “this setting definitely exposes every deleted post body in every endpoint”, and more that the current permission combines several concepts:
- deleting other users’ posts/topics;
- seeing or listing deleted posts/topics in some contexts;
- giving authors more control over their own footprint.
For my use case, I would only want the third one.
That is why I think an own-content setting would be cleaner. It could allow a user to delete/withdraw their own posts/topics, subject to existing safeguards, without granting broader moderation-like permissions over other users’ content or deleted-content visibility.