Topic: Can a user delete their own account?

Without needing an admin to do it for them?

2

Re: Can a user delete their own account?

I'm sure a simple user can't. A moderator can if you give him the permission.

Ludo,

3

Re: Can a user delete their own account?

I use PunBB as central member registration system on my site. I really need a way to offer members the option to cancel their account.

Is there no way to do this? I see delete_user code in profile.php, but can't figure out how to use it for a Cancel Account option.

Re: Can a user delete their own account?

Just copy/paste it? tongue

5 (edited by Peter 2007-11-04 03:23)

Re: Can a user delete their own account?

Thanks Smartys, but copy what exactly, paste where?

I see this in profile.php, but it's part of a lot of other if/else code:

else if (isset($_POST['delete_user']) || isset($_POST['delete_user_comply']))
{
    if ($pun_user['g_id'] > PUN_ADMIN)
        message($lang_common['No permission']);

    confirm_referrer('profile.php');

    // Get the username and group of the user we are deleting
    $result = $db->query('SELECT group_id, username FROM users WHERE id='.$id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
    list($group_id, $username) = $db->fetch_row($result);

    if ($group_id == PUN_ADMIN)
        message('Administrators cannot be deleted. In order to delete this user, you must first move him/her to a different user group.');

    if (isset($_POST['delete_user_comply']))
    {
        // If the user is a moderator or an administrator, we remove him/her from the moderator list in all forums as well
        if ($group_id < PUN_GUEST)
        {
            $result = $db->query('SELECT id, moderators FROM '.$db->prefix.'forums') or error('Unable to fetch forum list', __FILE__, __LINE__, $db->error());

            while ($cur_forum = $db->fetch_assoc($result))
            {
                $cur_moderators = ($cur_forum['moderators'] != '') ? unserialize($cur_forum['moderators']) : array();

                if (in_array($id, $cur_moderators))
                {
                    unset($cur_moderators[$username]);
                    $cur_moderators = (!empty($cur_moderators)) ? '\''.$db->escape(serialize($cur_moderators)).'\'' : 'NULL';

                    $db->query('UPDATE '.$db->prefix.'forums SET moderators='.$cur_moderators.' WHERE id='.$cur_forum['id']) or error('Unable to update forum', __FILE__, __LINE__, $db->error());
                }
            }
        }

        // Delete any subscriptions
        $db->query('DELETE FROM '.$db->prefix.'subscriptions WHERE user_id='.$id) or error('Unable to delete subscriptions', __FILE__, __LINE__, $db->error());

        // Remove him/her from the online list (if they happen to be logged in)
        $db->query('DELETE FROM '.$db->prefix.'online WHERE user_id='.$id) or error('Unable to remove user from online list', __FILE__, __LINE__, $db->error());

        // Should we delete all posts made by this user?
        if (isset($_POST['delete_posts']))
        {
            require PUN_ROOT.'include/search_idx.php';
            @set_time_limit(0);

            // Find all posts made by this user
            $result = $db->query('SELECT p.id, p.topic_id, t.forum_id FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'topics AS t ON t.id=p.topic_id INNER JOIN '.$db->prefix.'forums AS f ON f.id=t.forum_id WHERE p.poster_id='.$id) or error('Unable to fetch posts', __FILE__, __LINE__, $db->error());
            if ($db->num_rows($result))
            {
                while ($cur_post = $db->fetch_assoc($result))
                {
                    // Determine whether this post is the "topic post" or not
                    $result2 = $db->query('SELECT id FROM '.$db->prefix.'posts WHERE topic_id='.$cur_post['topic_id'].' ORDER BY posted LIMIT 1') or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());

                    if ($db->result($result2) == $cur_post['id'])
                        delete_topic($cur_post['topic_id']);
                    else
                        delete_post($cur_post['id'], $cur_post['topic_id']);

                    update_forum($cur_post['forum_id']);
                }
            }
        }
        else
            // Set all his/her posts to guest
            $db->query('UPDATE '.$db->prefix.'posts SET poster_id=1 WHERE poster_id='.$id) or error('Unable to update posts', __FILE__, __LINE__, $db->error());

        // Delete the user
        $db->query('DELETE FROM users WHERE id='.$id) or error('Unable to delete user', __FILE__, __LINE__, $db->error());

        redirect('index.php', $lang_profile['User delete redirect']);
    }

I've tried to use that code with a link like this:

<a href="profile.php?action=delete_user&id=<? echo $row['id']; ?>">Cancel Account</a>

But it didn't do anything. It just pulled up the regular profile.php editing menu (with Essentials, etc.).

What uses this delete_user code? I don't see anything related to deleting users/accounts in the regular user menus.

6

Re: Can a user delete their own account?

Firstly, are you adding that link in profile.php? If not, the referrer check will fail. You'd also need to alter/remove the Admin/Mod permission check.

Re: Can a user delete their own account?

Don't do what Matt said. That would mean anybody could delete anybody.
You can't just remove the admin restriction from the permissions check, you need to also allow a user to delete his/her own account.
And when I said copy/paste the code, I meant copy/paste the code to your own script, since I assumed that was what you were doing.
You're right that there's no delete option for users: because there isn't tongue

8

Re: Can a user delete their own account?

Why isn't there a delete option for users?

I will puzzle with this when I have more time, but I don't want to mess it up.

Any suggestions how to "extract" the relevant code from profile.php, how to keep the right permissions checks and how to use it are very welcome.

9

Re: Can a user delete their own account?

Smartys wrote:

Don't do what Matt said. That would mean anybody could delete anybody.
You can't just remove the admin restriction from the permissions check, you need to also allow a user to delete his/her own account.

My apologies. Looking at that I could have been a tad more descriptive, with hindsight. big_smile

10

Re: Can a user delete their own account?

Peter wrote:

how to keep the right permissions checks and how to use it are very welcome.

You would want to check the calling user id against the user id being deleted, and only allow the deletion upon a match of the two.

Re: Can a user delete their own account?

Peter wrote:

Why isn't there a delete option for users?

Because deleting is an administrative/maintenance action that can have effects on the entire board.

12

Re: Can a user delete their own account?

Smartys wrote:
Peter wrote:

Why isn't there a delete option for users?

Because deleting is an administrative/maintenance action that can have effects on the entire board.

That's why I don't want to improvise this, but there really should be a Delete Account option for the user. You can't just trap users on your site. A Delete Account option is a basic requirement for any site that registers users.

If I can't find a solution I have to look for another script and start from scratch. :-(

13

Re: Can a user delete their own account?

I don't quite get the reference to users being trapped. A responsible admin will comply with requests to remove an account. Wouldn't a safer solution be to have a system for automating removal requests. The user account could then be flagged and an admin plugin could automatically remove user accounts that have been flagged.

Re: Can a user delete their own account?

Or you could allow users to delete their own accounts without deleting their posts by editing two lines of the code you pasted above. You could then either provide a proper form setup on your own or alter profile.php more to show the delete option.
And I have to agree with Paul, I wouldn't equate not being able to delete an account to being trapped. Nobody forces you to keep visiting a website.

15

Re: Can a user delete their own account?

Smartys wrote:

Or you could allow users to delete their own accounts without deleting their posts by editing two lines of the code you pasted above.

That sounds good enough for me. I'd like to try that. For a non-php coder it's not obvious which two lines should be edited how, so any more pointers would be very much appreciated.

"Trapped" is somewhat overdramatic. I use PunBB as the general member registration script for my site. I'm just trying to be "customer-friendly". Offering a Delete Account option seems a must.

Thanks for all the suggestions!

Re: Can a user delete their own account?

FIND

    if ($pun_user['g_id'] > PUN_ADMIN)
        message($lang_common['No permission']);

REPLACE WITH

    if ($pun_user['g_id'] > PUN_ADMIN && $pun_user['id'] != $id)
        message($lang_common['No permission']);

FIND

if (isset($_POST['delete_posts']))

REPLACE WITH

if (isset($_POST['delete_posts']) && $pun_user['g_id'] == PUN_ADMIN)

That way, you can only delete a user if you're an administrator or it's your account, and you can only delete posts if you're an administrator.

17

Re: Can a user delete their own account?

Cool! Makes sense. I'll try this as soon as I have time.

Thanks! :-)