i'm about to delete a user that heavily contributed content to a plone site. (@@search?Creator=username returns hundreds of results)
until now i preferred to "deactivate" these kind of users (change email, password and remove all local roles) because i am/was not 100% sure about the consequences.
i'd guess just deleting is fine:
- local roles defined for users/groups/roles that do not exist anymore simply are not taken into account (possible downside of not cleaning up local roles: adding a user with the same name later, grants him/here theses existing roles)
- byline will list username instead of "First Lastname" because the Creator can't be looked up.
- Contributors contains "First Lastname" according to the docs (https://docs.plone.org/develop/plone/content/ownership.html) - so no downside here.
do i need to take care of changing owner/creators of content items created by a user before removing him/her from the plone site?
as there are products such as https://pypi.python.org/pypi/plone.app.changeownership there might be cases where simply deleting a member leads to problems.
is there anything special in
AccessControl.owner.Owned that could break a portal / item which owner has been deleted?
If you delete a user through the Plone UI, so the Users and Groups control panel, the whole site is searched and local roles are deleted. So that should take care of everything. In fact, this may take too long, in which case you may want to patch the deletion.
I haven't encountered breakage yet, also not when removing users through the ZMI, which leaves local roles and probably other user related stuff.
Zope has two notions of "Ownership": the so called "executable ownership" (taken care of by "AccessControl.owner") and the local role "Owner" (handled in "AccessControl.rolemanager").
Usually, "executable ownership" is relevant only for executable objects (i.e. scripts, templates) - not for content objects.
Thus, there should be no problems with deleting a user regarding "executable ownership", unless this user has customized scripts/templates or has created the portal.
thanks @dieter and @mauritsvanrees.
so AccessControl.owner needs to be taken care of when deleting a user in zope's acl_user (who potentially could be the creator of the plonesite)
deleting users via @@usergroup-userprefs will also take care of local roles so no stale information will be left behind.
Amazing coincidence... someone had posted about this just the other day: Adding the ability for users to delete their accounts (and I see that @frisi replied to it).
Does all this info need to be pulled together and documented somewhere and/or do we need to add code?
hey kim. i stumbled over this post after asking this question here. while both are about deleting users i don't think they do have much in common.
but asking if we can/should update documentation is a very good point.
i'd say dieter's information about AccessControl.owner should be added to https://docs.plone.org/develop/plone/content/ownership.html
information about removing users could go into https://docs.plone.org/develop/plone/members/member_basics.html (example code how to remove a user - possibly link to the other topic you mentioned)
also implications (such as: if a user registers later on with the same name, content formerly created by a different user with the same name will be credited with his name then)
in addtion plone.api documentation does not state clearly if local roles are removed when removing a user (similar to deleting a user in the control-panel as maurits pointed out)
Hi @frisi - thx - could you file issues for the above so we don't lose track and (If you have time) make the PRs?
On to the topic of deleting users, and as a data point on how others have addressed the issue, I found this in this (Discourse) forum's Admin panel:
"Users can't be deleted if they have posts. Delete all posts before trying to delete a user. (Posts older than 60 days old can't be deleted.)"