This user has found a way
Update, another Discourse team member has confirmed how this is possible. For a PM/topic,notifications and user to disappear from the discourse forum. I shall PM copy you in. The team are working on it for you.
It is possible to do this
- Create a new account
- Read just enough to reach trust level 1 (you need that to earn the ability to send a PM)
- Send one PM and one reply max – because accounts can’t self delete with more than 2 posts
- Do this all within 2 days – because accounts can’t self delete more than 2 days after account creation
- Trigger account self-deletion
Pretty hard to do all that, but it could be done, so we’ll have to think about the ramifications here.
You’ll have to up that number of posts to at least 4 because that’s how many she sent me, all but the opening post being deleted within seconds as soon as the “views” showed I was reading it
Thanks for the help here btw
It’s possible there is a bug that is not counting PMs in there @gerhard? We should definitely make sure that’s working as designed in terms of allowed user self-deletes.
Don’t know if it’s at all relevant, as all this is way above me, but the person concerned uses Ipads for her internet use.
We’ll get to the bottom of it for sure, we take abuse very seriously and we want everyone to be safe by default!
We did find a bug here where PMs were not counted towards the max 2 posts limit that prevents new account self deletion. That’s … pretty bad, my apologies. Hopefully @gerhard can get that fixed and backported lickety split!
It looks like it’s a 1 post limit where posts in PMs aren’t counted at all. First posts in topics don’t seem to count as well.
So, what should the new rule be? Count every post unless the post belongs to a PM with a system user (e.g. discobot)?
Yes, count almost everything, exceptions should be super rare.
Just wanted to say thank you all, for taking this seriously and looking into it so quickly and thoroughly
I have to say, I really appreciate this entire discussion. You show your commitment to open source ideals by not only reproducing the problem, but sharing steps on how it can be reproduced publicly, and working on a solution where we can see it. That’s impressive.
It is a shame that @Brixey didn’t qualify for the “bug reporter” badge.
If the offending user also resides in the EU then restoring messages they explicitly deleted (without consideration as to whether they can or not) would likely be in violation of the GDPR.
Just to clarify
I didn’t request the messages be publicly restored simply retrieved to my PM’s as they were originally sent so that the user concerned canot send a threatening message and then delete it once read.
I can’t see that breaching GDPR?
Possibly, which is quite ironic when the offender had no respect for the privacy of the person they were sending their nasty messages to in the first place!
Yes that is indeed a problem with the GDPR, but it’s her data. Have you
tried contacting your local law enforecement agency?
This is a common misconception, but no it likely wouldn’t be considered a breach of GDPR. The purpose of the processing is because they broke the rules of the community. GDPR doesn’t prevent site owners from investigating such incidents.
If they break the terms of the community or break laws you have every right to investigate.
We fixed the problem of PMs not counting toward the max 1 post limit for self-deletes. The fix was also backported to the stable and beta branches.