"Properly" remove a user from Plone

Plone Support Administering Plone sites
1

Is it possible to ‘properly’ remove users from a site?
Alternatively: purge old ‘things/properties’ when creating a user

This is current behaviour:

  1. A user (some-user) is added
  2. some-user gets permissions etc.
  3. some-user is deleted.
  4. some-user is added
  5. the new some-users have groups etc equal to ‘old some-user’

(yes, : Using ‘unique uids for user works around the problem, but I hope to avoid that)

2

You would need a script traversing (or using the catalog) objects for local roles and ownership and check if the user is assigned, remove the role/ownership (assign ownership to a different user) and do a reindexObjectSecurity. While this is feasible with small sites, for larger sites this probably takes ages. So using UIDs as userids is the better solution.

[that said, with my new approach, having a queryable ZODB and catalog this could be done on SQL level relatively fast, but this does not help you now]

3

Remove the user from all the groups before deleting? You've to hook in the user deletion event to delete the user from the group. Roles are assigned by groups, usually.

If you assign roles directly, disable the user and periodically delete disabled users from object security and then remove the users. In the mean time, "same-user" cannot be assigned.

4

The usual ways of a deleting a user in Plone (users control panel, REST API, plone.api) already take care of removing local roles.

I don’t think they remove the userid from groups.

There can still be references to the user id in plenty of places, such as:

  • the creator and contributor fields, or custom fields that stored a user id
  • catalog indexes and metadata for those fields
  • workflow history
  • CMFEditions versions
2 Likes
5

Groups sre not removed

6

Because empty groups are usually fine. Having an empty group is not a automatism for removing the group.

7

I meant that the users group sre kept, so readding a user gives him/her the same groups as the old user had

8

That's why you've to remove the user from the group before deleting him. Otherwise it will be kept there silently.

9

It would be nice (for my user cases) removing a user also did this.
(alternatively: an option on delete to ‘purge some properties’.

For site in question: I dont think they use ‘local permissions/roles’,maybe I can use "Products.PluggableAuthService.interfaces.events.IPrincipalDeleted (if it does not fire before they are deleted) . Or maybe ‘user Folders’ can be used ‘somehow’ (I dont know if user-folders are deleted/modified when a user is removed.