Forums | Mahara Community

Support /
Users can delete own accounts


MarionMacDonald's profile picture
Posts: 203

17 September 2013, 21:21

Hi

I've just spotted a big 'Delete account' button recently appearing at the top of users' Settings although I do not have registration allowed under Administer Institutions.  Is there some other setting that controls this?

Marion

anonymous profile picture
Account deleted
Posts: 4

17 September 2013, 22:25

Hi, just unchecked Registration allowed under Administer instituitions.

TQ

MarionMacDonald's profile picture
Posts: 203

17 September 2013, 22:40

 I do not have registration allowed under Administer Institutions.

Aaron Wells's profile picture
Posts: 896

18 September 2013, 11:55

Hi Marion,

The button should be hidden if the user belongs to at least one institution that has "Registration allowed" turned off (or if the user is an Admin).

What version of Mahara are you using?

Cheers,

Aaron

MarionMacDonald's profile picture
Posts: 203

18 September 2013, 20:10

Hi Aaron

On our live site, all users are in one institution which has 'Registration allowed' turned off.  There are two authentication plugins - LDAP and internal.  We're on version 1.7.0 on the live site. All users have the 'Delete account' button on their 'Settings' page (even those whose authentication is internal).

On our dev site, we have the same institution replicated with the same settings and members have the 'Delete account' button.   I've also set up another 13 institutions but the authentication on these is internal.  None of these users have the 'Delete account' button.  Version 1.6.2 on the dev site (being updated tomorrow).

 

Regards

Marion

 

Aaron Wells's profile picture
Posts: 896

19 September 2013, 15:56

Hi Marion,

The way the code is written, is that when you access the /account/index.php page, it calls the function $USER->can_delete_self() to see whether you've got permission to delete your own account. That function looks like this:

    public function can_delete_self() {
        if (!$this->get('admin')) {
            // Users who belong to an institution that doesn't allow
            // registration cannot delete themselves.
            foreach ($this->get('institutions') as $i) {
                if (!$i->registerallowed) {
                    return false;
                }
            }
            return true;
        }
        // The last admin user should not be deleted.
        return count_records('usr', 'admin', 1, 'deleted', 0) > 1;
    }

It then takes the results of that flag and puts them in a Smarty variable called $candeleteself. It's then up to the theme's implementation of the account/index.tpl page template to see that flag and decide whether or not to show the "Delete account" link. The default version of the template looks like this:

{include file="header.tpl"}
{if $candeleteself}<div class="message"><a href="{$WWWROOT}account/delete.php" class="btn">{str tag=deleteaccount section=account}</a></div>{/if}
            {$form|safe}
{include file="footer.tpl"}

These code snippets were taken from Mahara 1.6, but this section of the code hasn't changed in Mahara 1.7 or 1.8.

Are you using a custom theme? Perhaps your theme has overriden account/index.tpl but doesn't have the check against $candeleteself in there? The only other things I can think of, are whether you've maybe got some code modifications in htdocs/account/index.php or htdocs/auth/user.php, or if all of your users are admins for some reason. But those are kind of long-shots.

I guess one thing you could do as a final workaround to this, is to do a local override of the account/index.tpl template. To do that, you'd take the file "htdocs/theme/raw/templates/account/index.tpl", and copy it to "htdocs/local/theme/templates/account/index.tpl". Then in that copy, delete the part of the template where it shows the "Delete account" link. Then nobody will be able to delete their own account.

Cheers,

Aaron

MarionMacDonald's profile picture
Posts: 203

19 September 2013, 21:12

Aaron

Thank you very much for your help. I followed the isntructions in your last para and that has fixed the problem so I'm happy.

In case you're wondering how this came about, we haven't modified any code and our users aren't all admins.  We do have a custom theme in the live site but it's based on the default theme and just involved images and stylesheets, not templates.  The primary institution on the dev site uses the default theme and has had no other changes but the problem exists for that institution (even after version upgrade this morning).  The other institutions use variations of the custom theme and these users are not able to delete accounts.

The only change I've made to the templates on the live site is insert Google Analytics snippet in footer.tpl

That's just in case you want to follow it up. As I said, the matter's been fixed so thanks again.

Regards

Marion

Aaron Wells's profile picture
Posts: 896

23 September 2013, 13:02

Hi Marion,

Thanks for the details. It's not a perfect resolution, because I'm still scratching my head over why the button was showing up for your users. But, at least we've fixed your problem. Smile

If some person is reading this forum thread in the future because you are also experiencing this problem, to this hypothetical future reader I say, speak up here, and perhaps with your details we can triangulate in on the cause of this problem and solve it. Wink

Cheers,

Aaron

anonymous profile picture
Account deleted
Posts: 27

31 July 2015, 11:33

"...some person reading this forum thread in the future." -- that would be me.

Under Mahara v15.04.1 in our test environment, using a standard (unmodified) theme.

Many of our users are not in an institution; they're in the "No institution" institution. All of our user accounts were created manually.

Administration > Institutions > No institution Settings > Registration allowed: OFF
- The "No institution" users see the "Delete account" button on their user Settings page.
- The users in any other institution do NOT see the "Delete account" button.

When I move a "No institution" user to any other institution (all of which also have Registration allowed: OFF), the button disappears from their Settings page.

Turning the setting on and then off again in "No institution" Settings didn't help.

It would appear that creating a secondary "No institution"* might be a viable work-around for us...

Save yourself a little time while testing: the effect is the same for "Login as" the user or when you actually log out and login with their credentials.

* (Maybe called "Not No Institution" ;-) )

 

Hrynkiw
Kwantlen Polytechnic University
near Vancouver, Canada

Robert Lyon's profile picture
Posts: 773

31 July 2015, 15:35

Hi Donna,

Thank you for your reply to this problem and from it I was able to replicate the problem.

I have filed a bug report for it and begun a patch to fix it.

Cheers

Robert

11 results