I’m new here and hope I’ve chosen the right category.
Since the update to v2. 4. 0 it is possible for every user to delete his own threads. I don’t think that’s good. Is it possible to set somewhere that nobody but the moderators and administrators can delete complete threads? Anyone should be able to delete their own posts. Just no complete threads.
From personal experience, I’ve seen that they’re only able to delete their own topics it doesn’t have any replies to it; which I feel is fine. It’s a user’s discretion to initially post the topic and show the content to others on the forum. The same goes for posts.
If a topic has people actively replying or has previously replied, they shouldn’t be able to delete the topic, however, I think this is already the case.
That the user can only delete the topic if there is no answer to it was not known to me. I just tried it. As soon as there is a reply, the topic can only be deleted by a moderator or administrator. I think that’s good. Thank you so much for the clarification.
I don’t think a user is able to delete his own account… only admins can - and even there is the recommendation to anonymize a user to prevent the situation you just described.
I moved some messages from one topic to a new one (offtopic/discussion).
Message from the user from #1 was the first one, so he’s a “topic starter”. People discuss things in this new topic, 80+ messages.
After several days, the user deletes his account. He can do that if the account is registered recently.
The topic is deleted.
This is a real situation. I’ve found this topic because initially I thought the user has just deleted his own topic, but no — he just deleted the account, and that resulted in topic deletion. Discourse wipes all the account data (incl. all posts) upon deletion automatically — I see “topic deleted”, then “account deleted” in the logs.
Nope. When I was trying to reproduce the issue, I successfully created a topic using fresh registered account, replied to the topic from different accounts, and then deleted the account. The topic was deleted.
All right, I think I got it.
Here’s the steps to reproduce the bug.
Have a relatively old account (several days), with several posts and one topic
Delete all your messages manually
Wait until “delete removed posts after” timeout (24 hours by default)
Now you have one post - the topic top post. You can delete your account in the profile, and the topic disappears. This is due to delete user self max post count = 1 by default.
Here’s a video demo with delete removed posts after = 0, so the posts are deleted instantly.
After deleting the account, the topic was also deleted.
Check your settings in /admin/site_settings/category/users
These are the default settings shown below. As noted at the bottom, you can set the last value to -1 to disable self-deletion of user accounts. If that’s too strong of a solution, you can lower the maximum number of days delete user max post age… and/or lower the delete all posts maximum.
delete user self max post count = 0 should disallow deleting the user if this account has created a topic with replies, since top post can’t be deleted.
I believe that’s for when someone signs up, makes one post and then changes their mind. Instead of having to delete their post before deleting their account, they can simply delete their account.
If you don’t want a user to be able to delete their own account, but have to ask to have their account deleted, then set that to -1.
But the delete all posts max should be lowered if you have problem with users deleting many posts at once. The delete user max post age give the length of time a user can be deleted after their first post. Lower that to lower the number of days a user can be deleted after their first post.
Changing delete all posts max and delete user max post age to lower values won’t be much helpful in my case. In my case, the account was about a week old with 7 posts, but a topic starter.
The deleted topic appeared only in staff logs (the deletion has been performed from “system” account). That confused me, I could not find a topic which I totally remembered.
This action was performed by a person who understood default Discourse settings. The posts were marked for deletion, then after 24 hours had been deleted, then the person changed his email address to a burner one and deleted the account.
The first setting above would probably be the best to counter that type of behavior - decreasing the number of days for the oldest post.
By default, the creator of a topic can delete their topic. Imposing limits on that by using the above settings should help prevent deletion depending upon the number of posts/replies. The last setting should prevent any topic deletion (other than by staff).
I fail to see the logic in changing one’s email address and then deleting their account immediately after… unless the burner account will be used to receive a notification that the account was deleted? But I don’t believe they would get such notification. Why would you notify a spammer that you’ve deleted their account. Spamming the spammer?
Good sleuthing work @ValdikSS – so what you’ve essentially outlined is this:
A user may delete their account if it has only one or zero posts by default in Discourse. However, if that one single post is a topic, the entire topic is deleted.
That is more or less as designed… I don’t think we anticipated this particular special case where a user created a topic as their single post.