We are using SSO and when someone closes their account, we delete their Discourse account too through the API (or anonymize it, if there’s posts).
However, something seems to be amiss as we have been seeing some 403 errors while doing this. Poking a little bit, I found this to be the error message returned by the API call:
{
"http_code": 403,
"body": "{\"deleted\":false,\"message\":\"User XXX has 0 posts, so they can't be deleted.\"}"
}
Bit, if there’s 0 posts, it should be possible to be deleted? Looking at the info for this particular account, there’s indeed no posts:
However, there’s a private message to Discobot (tutorial).
So, I think there’s a few things here:
- The error message that refused the deletion of the user is counting only the public posts, but perhaps it should count private too?
- Actually, should the private messages prevent an account from being deleted? I understand the reasoning for how removing an account complicates the narrative on a public topic, but on a private message perhaps the argument is not as solid?
- If the answer to the previous one is still a yes (ie, private message should still prevent removing an account from being removed), should messages to Discobot count too, towards preventing an account from being removed? What I mean is, most people will go through the tutorial and send PMs to Discobot… which makes it virtually impossible to remove many accounts that never participated, just because they did the tutorial (perhaps this is true only after
delete_user_max_post_agedays, but still).
Lastly, and I’m not sure if this is related with 1., but when checking the API info for this user, it returns:
post_count: 0
can_be_deleted: 1
can_delete_all_posts: 0
But, effectively, this user can’t be deleted. So perhaps the can_be_deleted logic is counting only public posts too?
