You are here: Foswiki>Tasks Web>Item4905 (02 Apr 2013, LynnwoodBrown)Edit Attach

Item4905: Need Remove User / Delete User functionality

Priority: Enhancement
Current State: No Action Required
Released In: n/a
Target Release: major
Applies To: Engine
Component: UserMapping
Reported By: MartinCleaver
Waiting For:
Last Change By: LynnwoodBrown
Anyone done anything on Delete User functionality? I see the script on says:

To remove a user account (FredQuimby, who logs in as "fred"):

  1. If you are using a .htpasswd file, edit the .htpasswd file to delete the line starting fred:
    • Warning: Do not use the Apache htpasswd program with .htpasswd files generated by TWiki! htpasswd wipes out email addresses that TWiki plants in the info fields of this file.
  2. Remove the FredQuimby - fred line from the TWikiUsers topic
  3. Remove FredQuimby from all groups and from all the ALLOWWEB/ALLOWTOPIC... declarations, if any.
    Note: If you fail to do this you risk creating a security hole, as the next user to register with the wikiname FredQuimby will inherit the old FredQuimby's permissions.
  4. [optional] Delete their user topic FredQuimby (including attachments, if any.)

Requiring admins to manually delete is:
  1. Inconvenient
  2. Error prone
  3. Time consuming
  4. Requires additionally communication from the site owner to the site systems administrator
lib/TWiki/ exists (at line 222 in 4.1.2). It does not seem to be used.

So says Bruce McKenzie:
* purge all traces of account (do "something" with links, or replace home page with a "no tresspassing" sign smile

  • disable account (disallow logins, remove from groups)
  • remove home page and login information in anticipation of imminent re-registration. All of these can involve adding comments to the home page if not deleting it outright. Personally, I want to be able to do all/any of these from a web interface. And they are separate enough functions that I would like them all

-- TWiki:Main/MartinCleaver - 29 Oct 2007

I think noone will be against such a feature in TWiki 5.0.

Martin this one is not a bug but a feature enhancement so it should follow the process on

Please raise a request there - where it will be followed up on. Here on bugs it will rot like most enhancement requests.

If you add yourself as committed developer you even start the 14-day clock of auto acceptance. Provided that you do want to implement it. You have all the right skills for it right? I am setting this as Enhancement and you can use the bug item later for checkins on SVN when your proposal gets accepted which I am sure it will be.

-- TWiki:Main.KennethLavrsen - 29 Oct 2007

How about making it an extension. So people don't have to wait for TWiki-5.o or even get this feature on a 4.x engine.

-- TWiki:Main.MichaelDaum - 01 Nov 2007

Makes a lot of sense.

-- TWiki:Main.KennethLavrsen - 01 Nov 2007

Depends. Right now it looks like the code can get folded right alongside bulk password reset in registration. If so it would be less effort and a cleaner outcome to push it TWiki::UI::Register.

Can extensions override core code yet?

-- TWiki:Main.MartinCleaver - 02 Nov 2007

It's already an extension, in the sense that deleting users should be done in the TWikiuserMapping. Some of the pieces are already there. We would like at some point to abstract the registration code out into a pluggable module in the same way. Until then, the delete user functionality should be folded into UI/ as Martin implicitly suggests.

-- TWiki:Main.CrawfordCurrie - 02 Nov 2007

Thanks for the pointer to TWikiUserMapping.

I note this in TWiki::UI::Manage::_removeUser (4.1.2)

# Renames the user's topic (with renaming all links) and # removes user entry from passwords. CGI parameters: sub _removeUser {     my $session = shift;      my $webName = $session->{webName};     my $topic = $session->{topicName};     my $query = $session->{cgiQuery};     my $user = $session->{user};      my $password = $query->param( 'password' );      # check if user entry exists     if( $user && !$user->passwordExists()) {         throw TWiki::OopsException( 'attention',                                     web => $webName,                                     topic => $topic,                                     def => 'notwikiuser',                                     params => $user->stringify() );     }      #check to see it the user we are trying to remove is a member of a group.     #initially we refuse to delete the user     #in a later implementation we will remove the from the group (if implements it..)     my @groups = $user->getGroups();     if ( scalar( @groups ) > 0 ) {          throw TWiki::OopsException( 'attention',                                     web => $webName,                                     topic => $topic,                                     def => 'in_a_group',                                     params =>                                     [ $user->stringify(),                                       join(', ',                                            map { $_->stringify() }                                            @groups ) ] );     }      unless( $user->checkPassword( $password ) ) {         throw TWiki::OopsException( 'attention',                                     web => $webName,                                     topic => $topic,                                     def => 'wrong_password');     }      $user->remove();      throw TWiki::OopsException( 'attention',                                 def => 'remove_user_done',                                 web => $webName,                                 topic => $topic,                                 params => $user->webDotWikiName() ); }  sub _isValidHTMLColor {     my $c = shift;     return $c =~ m/^(#[0-9a-f]{6}|black|silver|gray|white|maroon|red|purple|fuchsia|green|lime|olive|yellow|navy|blue|teal|aqua)/i;  }  

I didn't see it used anywhere.

-- TWiki:Main.MartinCleaver - 02 Nov 2007

It's called at line 66, in response to the "deleteUserAccount" manage request. I think all it needs is a UI. TWiki Application time.

Why is there no feature request for this? Marked waiting for Martin to raise one.

-- TWiki:Main.CrawfordCurrie - 06 Aug 2008

Looks like HowToDeleteUserAccount is a feature request for this.

-- TWiki:Main.MartinCleaver - 06 Aug 2008

god, Foswiki::Register::deleteUserAccount is a deadly thing. it just plain deletes YOU whoever happens to be logged in at the time.

if the password is correct (and the browser will probably helpfully auto fill it, you've just deleted yourself from the system, without any 'are you sure' nothing?

the order of the code is odd, in that it checks the password last, and the admin is mostly saved from this accidental ouchie by the happenstance that they're in a group.

perhaps someone should leverage this manage call to add a proper delete user so would use the folowing params (restricted to admin)
  • loginname - of the user/users to remove
  • removeUserTopic=0/1
  • removeAllTraces=0/1 - rename user topic, then delete
  • suspend=0/1 - tell the password system this user isn't able to login, and isn't able to relset their pwd.

-- SvenDowideit - 28 Sep 2009

It was marked as waiting for HowToDeleteUserAccount, which got rejected because nobody cared. I still think we need this feature, so I won't close this bug, but I will remove the Waiting for field to avoid getting emails about it.

-- OlivierRaginel - 04 Jun 2011

Closing this. The latest AntiWikSpamPlugin has a facility to remove a user. It's focused mainly on Spam cleanup, so it doesn't remove the user from any groups or locate modified topics. But it does clean up the .htpasswd, WikiUsers and Users topics.

-- GeorgeClark 20 Mar 2012

For general reference, I see that AntiWikSpamPlugin reportedly now also removes deleted users from any groups.

-- LynnwoodBrown - 02 Apr 2013

ItemTemplate edit

Summary Need Remove User / Delete User functionality
ReportedBy MartinCleaver
SVN Range
AppliesTo Engine
Component UserMapping
Priority Enhancement
CurrentState No Action Required
Checkins distro:b18b8992516a
TargetRelease major
ReleasedIn n/a
Topic revision: r19 - 02 Apr 2013, LynnwoodBrown
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy