delete posts when deleting user

[illori]

we have permissions separate for being able to delete a users account [others] and being able to delete the users posts when you delete the account. i think this is not right.

$context['can_delete_posts'] = !$context['user']['is_owner'] && allowedTo('moderate_forum');

if you can delete posts normally and can also delete an account you should be able to delete the posts along with the account

[Arantor]

moderate_forum is a strange permission. More accurately it is moderate-forum-members. That's pretty implicitly including the right to delete posts. All the check is saying is that if you're not the user whose account it is (i.e. you can't force-delete your own posts), and you can moderate-forum-members you have the power to delete posts with that.

I'm not sure what actually needs changing here - are you suggesting adding a further permissions test to it to prevent people who can delete accounts from not being able to delete posts unless they can also delete them normally? (This is only realistically an issue in the event of having users who can moderate other users but not actually moderate their posts, which should theoretically be a non issue)

[illori]

no i mean that if you have already the perm to delete posts [from anyone/anywhere] why can you not check this box if you can delete a users account?

[Arantor]

So if you present the user the option to delete posts when there is a chance it won't?

Remove posts is a per board permission. As such you cannot remove all posts, only posts in boards that you can delete from, which potentially might mean not all posts.

[illori]

and if the user has the moderate_forum permission you would not run into that issue as well?

[Oldiesmann]

Technically, yes, but given the kind of power you get with moderate_forum (see hidden users, see users' IP addresses, reply to un-approved posts, etc.), it's highly unlikely someone with that permission wouldn't also have permission to delete posts on the forums.

[Arantor]

Illori: no, because as I already pointed out delete topics permission is NOT checked here. It is also a global rather than a board permission.

So like I said, what exactly should change?

[illori]

@Oldiesmann if you have moderate_forum perm it has no effect on replying to unapproved posts

@Arantor i guess there is nothing to change as you dont agree.

the issue came up on the forum where a moderator could delete the users account but could not delete all their posts with the checkbox.

[Arantor]

The thing is, what you're proposing will NOT change that. If anything it will make it worse because it will intimate that things can be removed when they can't, not to mention a performance hurt in doing it.

If you're saying there's a bug with the deletion process, I'm tempted to agree, but only because what 2.0 does is misleading in terms of what gets removed, which is why it was reworded in 2.1 anyway to make it more clear what would be deleted under what circumstances (but it's still not based on remove-post permissions, or shouldn't be, for all the given reasons)

[jdarwood007]

@illori
SMF doesn't have logic here to determine if the delete_any applies to all posts. This is noted in the General Permissions page for the Default Board Permissions section where you apply the Delete Any Post permission.

Note: changing these board permissions will affect all boards currently assigned the "Default" permissions profile. Boards not using the "Default" profile will not be affected by changes to this page.

So if we have more than the default profile and they don't have delete any setup for that profile, this check would fail to properly assume they have permissions to delete everywhere. It also isn't possible as well right now for allowedTo to check based on the profile id, only the board id.

This could be looked at for beyond 2.1, but i don't think we have the code or solution setup to do this correctly with the current permissions setup.

[illori]

then this does not need to be fixed in SMF 2.1.