Delete user

[jvalleva]

The client has asked us to delete (not just block) a certain user.
We are using oe_authentication and we have seen that it blocks this possibility.
We wanted to confirm with you if this is a security restriction or if we can create a patch to remove that limitation?
Please can you explain the security reasons for this limitation?
Thanks!

[kiwimind]

Came here to ask the same question, however ours is more along the lines of needing to delete a lot of spam accounts.

Also we seem to have some sites with this enabled and others without, so I'm wondering what benefit this module brings.

[jvalleva]

Hello again,
Any answers to these questions regarding the limitations of deleting users?
We must eliminate users, for this we are forced to create a patch that removes this limitation, but we need to have confirmation that we are not bypassing any security restrictions.

[jvalleva]

Hello again,
Any answers to these questions regarding the limitations of deleting users?

[catalinvlad-tremend]

Hello @jvalleva,

We also had this issue on our projects and we created a patch to check also for a permission since user 1 is usually blocked on production.
oe_authentication.cancel_account.patch

I think you can find some answers here #79

[kiwimind]

Thanks for the link @catalinvlad-tremend

The answers on that thread really are unsatisfactory, especially due to GDPR concerns. Account holders have a legal right to ask for their information to be removed from a site. There is no way, other than user1 or having to amend existing functionality, to provide a method to delete users.

I don't know why this decision was made on this module. Personally I would have added it as an optional feature on top of core, not a hard override.

Like @jvalleva we are going to have to look into patching this module in order to reinstate core functionality that has been altered.