Problem
Users with DELETE permission on a folder can accidentally destroy entire folder trees — including all live content, subfolders, pages, and links — in a single action. There is currently no guard against this; the operation proceeds regardless of how much content is inside the folder. This is a significant accidental-data-loss risk for teams managing production content.
Goal
Allow dotCMS administrators to enable a safety guard — via a configuration flag — that blocks deletion of any folder that still contains live content (subfolders, contentlets, links, or pages). When the flag is off, existing behavior is completely unchanged.
Reproduction Steps
- Have a folder with any live content inside (page, contentlet, link, or subfolder).
- As a user with DELETE permission on that folder, trigger folder deletion.
- Observed: Folder and all its contents are deleted without warning.
- Expected: When
DOT_NO_DELETE_NOTEMPTY_FOLDER=true, deletion is blocked and a clear error message is shown.
Acceptance Criteria
Proposed Implementation Notes
The guard belongs in _deleteFolder() in EditFolderAction.java. A recursive private helper isNotEmpty(Folder f) should return true if the folder or any descendant contains live content. The guard activates only when Config.getBooleanProperty("DOT_NO_DELETE_NOTEMPTY_FOLDER", false) returns true.
⚠️ System.getenv() must not be used — use Config.getBooleanProperty() per dotCMS conventions.
Target Personas
- Content teams
- System administrators (dotCMS)
Severity
Urgent
dotCMS Version
dotCMS 25.09.18-1 (dotEvergreen)
Links
Problem
Users with DELETE permission on a folder can accidentally destroy entire folder trees — including all live content, subfolders, pages, and links — in a single action. There is currently no guard against this; the operation proceeds regardless of how much content is inside the folder. This is a significant accidental-data-loss risk for teams managing production content.
Goal
Allow dotCMS administrators to enable a safety guard — via a configuration flag — that blocks deletion of any folder that still contains live content (subfolders, contentlets, links, or pages). When the flag is off, existing behavior is completely unchanged.
Reproduction Steps
DOT_NO_DELETE_NOTEMPTY_FOLDER=true, deletion is blocked and a clear error message is shown.Acceptance Criteria
DOT_NO_DELETE_NOTEMPTY_FOLDER(boolean, defaultfalse) is introduced and read viaConfig.getBooleanProperty()true, deleting a folder that contains any live content (Folder, Contentlet, Link, HTMLPage — checked recursively) is blockedmessage.folder.contains.liveis added to all supportedcms_language_*message properties filesfalseor absent, no behavior change from todayProposed Implementation Notes
The guard belongs in
_deleteFolder()inEditFolderAction.java. A recursive private helperisNotEmpty(Folder f)should returntrueif the folder or any descendant contains live content. The guard activates only whenConfig.getBooleanProperty("DOT_NO_DELETE_NOTEMPTY_FOLDER", false)returnstrue.Target Personas
Severity
Urgent
dotCMS Version
dotCMS 25.09.18-1 (dotEvergreen)
Links