Can't delete user with PMs, misleading error message

We are using SSO and when someone closes their account, we delete their Discourse account too through the API (or anonymize it, if there’s posts).

However, something seems to be amiss as we have been seeing some 403 errors while doing this. Poking a little bit, I found this to be the error message returned by the API call:

    "http_code": 403,
    "body": "{\"deleted\":false,\"message\":\"User XXX has 0 posts, so they can't be deleted.\"}"

Bit, if there’s 0 posts, it should be possible to be deleted? Looking at the info for this particular account, there’s indeed no posts:

However, there’s a private message to Discobot (tutorial).

So, I think there’s a few things here:

  1. The error message that refused the deletion of the user is counting only the public posts, but perhaps it should count private too?
  2. Actually, should the private messages prevent an account from being deleted? I understand the reasoning for how removing an account complicates the narrative on a public topic, but on a private message perhaps the argument is not as solid?
  3. If the answer to the previous one is still a yes (ie, private message should still prevent removing an account from being removed), should messages to Discobot count too, towards preventing an account from being removed? What I mean is, most people will go through the tutorial and send PMs to Discobot… which makes it virtually impossible to remove many accounts that never participated, just because they did the tutorial (perhaps this is true only after delete_user_max_post_age days, but still).

Lastly, and I’m not sure if this is related with 1., but when checking the API info for this user, it returns:
post_count: 0
can_be_deleted: 1
can_delete_all_posts: 0

But, effectively, this user can’t be deleted. So perhaps the can_be_deleted logic is counting only public posts too?


Good sleuthing! We should fix the error message at minimum.

"body": "{\"deleted\":false,\"message\":\"User XXX has 0 posts, so they can't be deleted.\"}"

It should say

User has x post(s), so they can't be deleted.

We should also probably hint at the situation since this has come up a fair bit

User has x posts(s), either public posts or personal messages, so they can't be deleted


It’s done. I also fixed the incorrect post count in the message.


Thank you @vinothkannans! :+1:

Any chance the fact that can_be_deleted seems to say an account can be deleted when it can’t (due to PMs) can also be looked into? At the moment we have to try deleting the user first and then fallback to anonymize when that fails (since can_be_deleted can’t be trusted).


Might the issue in the following topic be correlated in any way to the issues being discussed in this topic?


This topic was automatically closed after 3 days. New replies are no longer allowed.