Item4905: TWiki Needs Remove User / Delete User functionality

Anyone done anything on Delete User functionality? I see the script on http://twiki.org/cgi-bin/view/Codev/HowToDeleteUserAccount

http://develop.twiki.org/~twiki4/cgi-bin/view/TWiki/ManagingUsers#Removing_User_Accounts says:

To remove a user account (FredQuimby, who logs in as "fred"):

1. If you are using a .htpasswd file, edit the .htpasswd file to delete the line starting fred:
   • Warning: Do not use the Apache htpasswd program with .htpasswd files generated by TWiki! htpasswd wipes out email addresses that TWiki plants in the info fields of this file.
2. Remove the FredQuimby - fred line from the TWikiUsers topic
3. Remove FredQuimby from all groups and from all the ALLOWWEB/ALLOWTOPIC... declarations, if any.
   Note: If you fail to do this you risk creating a security hole, as the next user to register with the wikiname FredQuimby will inherit the old FredQuimby's permissions.
4. [optional] Delete their user topic FredQuimby (including attachments, if any.)

Requiring admins to manually delete is:

1. Inconvenient
2. Error prone
3. Time consuming
4. Requires additionally communication from the site owner to the site systems administrator

lib/TWiki/User.pm:removePassword exists (at line 222 in 4.1.2). It does not seem to be used.

So says Bruce McKenzie:

* purge all traces of account (do "something" with links, or replace home page with a "no tresspassing" sign

• disable account (disallow logins, remove from groups)
• remove home page and login information in anticipation of imminent re-registration. All of these can involve adding comments to the home page if not deleting it outright. Personally, I want to be able to do all/any of these from a web interface. And they are separate enough functions that I would like them all

-- TWiki:Main/MartinCleaver - 29 Oct 2007

I think noone will be against such a feature in TWiki 5.0.

Martin this one is not a bug but a feature enhancement so it should follow the process on http://twiki.org/cgi-bin/view/Codev/TWikiFeature04x02

Please raise a request there - where it will be followed up on. Here on bugs it will rot like most enhancement requests.

If you add yourself as committed developer you even start the 14-day clock of auto acceptance. Provided that you do want to implement it. You have all the right skills for it right? I am setting this as Enhancement and you can use the bug item later for checkins on SVN when your proposal gets accepted which I am sure it will be.

-- TWiki:Main.KennethLavrsen - 29 Oct 2007

How about making it an extension. So people don't have to wait for TWiki-5.o or even get this feature on a 4.x engine.

-- TWiki:Main.MichaelDaum - 01 Nov 2007

Makes a lot of sense.

-- TWiki:Main.KennethLavrsen - 01 Nov 2007

Depends. Right now it looks like the code can get folded right alongside bulk password reset in registration. If so it would be less effort and a cleaner outcome to push it TWiki::UI::Register.

Can extensions override core code yet?

-- TWiki:Main.MartinCleaver - 02 Nov 2007

It's already an extension, in the sense that deleting users should be done in the TWikiuserMapping. Some of the pieces are already there. We would like at some point to abstract the registration code out into a pluggable module in the same way. Until then, the delete user functionality should be folded into UI/Register.pm as Martin implicitly suggests.

-- TWiki:Main.CrawfordCurrie - 02 Nov 2007

Thanks for the pointer to TWikiUserMapping.

I note this in TWiki::UI::Manage::_removeUser (4.1.2)

# Renames the user's topic (with renaming all links) and # removes user entry from passwords. CGI parameters: sub _removeUser {     my $session = shift;      my $webName = $session->{webName};     my $topic = $session->{topicName};     my $query = $session->{cgiQuery};     my $user = $session->{user};      my $password = $query->param( 'password' );      # check if user entry exists     if( $user && !$user->passwordExists()) {         throw TWiki::OopsException( 'attention',                                     web => $webName,                                     topic => $topic,                                     def => 'notwikiuser',                                     params => $user->stringify() );     }      #check to see it the user we are trying to remove is a member of a group.     #initially we refuse to delete the user     #in a later implementation we will remove the from the group (if Access.pm implements it..)     my @groups = $user->getGroups();     if ( scalar( @groups ) > 0 ) {          throw TWiki::OopsException( 'attention',                                     web => $webName,                                     topic => $topic,                                     def => 'in_a_group',                                     params =>                                     [ $user->stringify(),                                       join(', ',                                            map { $_->stringify() }                                            @groups ) ] );     }      unless( $user->checkPassword( $password ) ) {         throw TWiki::OopsException( 'attention',                                     web => $webName,                                     topic => $topic,                                     def => 'wrong_password');     }      $user->remove();      throw TWiki::OopsException( 'attention',                                 def => 'remove_user_done',                                 web => $webName,                                 topic => $topic,                                 params => $user->webDotWikiName() ); }  sub _isValidHTMLColor {     my $c = shift;     return $c =~ m/^(#[0-9a-f]{6}|black|silver|gray|white|maroon|red|purple|fuchsia|green|lime|olive|yellow|navy|blue|teal|aqua)/i;  }  

I didn't see it used anywhere.

-- TWiki:Main.MartinCleaver - 02 Nov 2007

It's called at line 66, in response to the "deleteUserAccount" manage request. I think all it needs is a UI. TWiki Application time.

Why is there no feature request for this? Marked waiting for Martin to raise one.

-- TWiki:Main.CrawfordCurrie - 06 Aug 2008

Looks like http://twiki.org/cgi-bin/view/Codev/HowToDeleteUserAccount is a feature request for this.

-- TWiki:Main.MartinCleaver - 06 Aug 2008