View Issue Details

IDProjectCategoryView StatusLast Update
0020805mantisbtadministrationpublic2016-09-01 02:50
Reportervboctor Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status newResolutionopen 
Product Version1.3.0-rc.1 
Summary0020805: Protect administrators against deleting users without understanding implications
Description

Someone leaves the company and the administrator goes and deletes their account. Later they discovered that this was not a good decision. They can't filter on the user, they can edit issues that user reported or handled. They lose track of the person and just see the id, etc.

Hence, we should protect the administrator against making this mistakes via one of the following approaches:

Option 1: When user clicks Delete User, we block the deletion if user has rows associated with them in the database for entities (e.g. issues, issue notes, history, attachments). And in such case, offer a button to disable the user instead.

Option 2: Give a warning to the user explaining that they should use disable instead with some explanation, but give them the option to do both actions.

My preference is option 1.

Tagsmantishub

Relationships

related to 0010141 feedback Disabled users are no more liste in filter 
has duplicate 0021305 closedvboctor Don't allow deletion of users with associated data 
related to 0021304 closedvboctor Don't prune system accounts 

Activities

atrol

atrol

2016-04-13 04:20

developer   ~0052949

Last edited: 2016-04-13 04:21

They can't filter on the user
They will not be able to filter deactivated users as long as there is no fix for 0010141

If you don't allow to delete users you will be able to generate something like "list of user names who left the company"
This is certainly not wanted in some scenarios.

So maybe there should be an option to anonymize names of deactivated users.
Something like
$g_show_deactivated_user_names_threshold = MANAGER;
If the current user has not the right to see the names, the names of disabled users could be displayed the same way like we show deleted users at the moment.

bodowenzel

bodowenzel

2016-09-01 02:50

reporter   ~0053917

Just my €0.02 how we handle this case:

If one of our users leaves the company, I edit her real name (add " (left)" for example) and set her account to "deactivated" and "protected". So she can't be assigned any more.

We like to see her user name on issues she worked on.