Make it possible to delete spam projects

Yes, we can allow this if there is no code pushed.

I don’t expect we need to disallow deletion if there are co-maintainers added. Although there are valid community projects without code that we do not want accidentally deleted. Maybe a check on if there are issues opened for the project is needed.

We do want to allow new people to show up and be able to contribute right away without barriers. I’ve seen a few cases of people whose first contribution is a project with code. Requiring them to get their account confirmed first discourages people from using Drupal.org for their project.

Added a few implementation notes to the issue summary. For working on this, are your SSH keys at https://www.drupal.org/user/55077/ssh-keys up to date?

You should be able to ssh kiamlaluno@wwwdev1.drupalsystems.org now. The dev site for this will be wwwdev1.drupalsystems.org, it should be ready in about 45 minutes. See https://www.drupal.org/drupalorg/docs/build/development-environments/dev... for working with our dev server.

Comment notifications do go out - please don’t use webmaster access to delete any comments that aren’t spam or otherwise within policy to delete. It is best to keep the issue comments intact to avoid confusion.

delete own project without code is not a permission we currently need. People can already delete their own sandbox projects, regardless of other factors. And I think we should leave the restrictions on deleting full projects as-is.

Orphaned issues no longer cause 500 errors, so there isn’t as much of a technical reason to require issues be deleted first. They are still not fun to run into.

I agree with drumm (#3) that new people to shall be able to contribute right away without barriers (i.e. no role requirement for creating a module or theme project).

Adding an permission that "Allows users with the delete any project without code to delete any project without committed code" should be sufficient permission to allow deletion of spam projects. If it is only given to experienced community members (e.g. site moderators) I don't think there is much of a risk for a site moderator mistaking a community project without code for spam.

The current wave of spam project's are pretty blatent ("Watch XXX for free"), where XXX has nothing to do with Drupal or software.

In the past I've seen some borderline cases, where a community member has created a project page for the sole purpose of linking to a site where one can purchase a "premium" version of the module project. E.g.: https://www.drupal.org/project/autocomplete_labels

We currently have no policy on these, and I would not personally use my site moderator privileges to unpublish or delete this type of code-less projects until we've agreed upon an accepted policy. IMHO, it is not free software, so it shouldn't be on Drupal.org, but these "premium" Drupal projects are far less offensive than the wave of "Watch XXX for free" spam that is currently hitting us.

I was not sure if we needed this, since legitimate project deletions were so rare until the latest spam wave. That seems to be subsiding, but we should be ready for next time.

+  // Avoid project_node_access() is invoked, or it would not permit users with
+  // the "delete any project without code" permission to delete a project that
+  // doesn't have committed code.
+  if ($hook === 'node_access') {
+    unset($implementations['project']);
+  }

Overriding & re-creating this will be harder to maintain and work on in the future. What we can do is:

• Grant site moderators the delete any full project permission and any other node module permissions needed for deletion.
• The change from this issue should return NODE_ACCESS_DENY if a project has code, so it overrides other access rules. No additional permission definition necessary, as admins have bypass node access.

Thanks, this is deployed now.

As we move toward more reliance on GitLab, we likely won’t be maintaining the versioncontrol* data in the local DB in the future. I replaced the check with an API call. Since that API call is an HTTP request, I’ve added a few more conditions for checking, to minimize the relatively-slow requests.

Sandbox project authors can delete their sandbox project at any time. I'm allowing deleting any sandbox project, regardless of code.

Still not possible for a site moderator to delete spam projects.

I unpublished this project this morning:
https://www.drupal.org/project/venom2lettherebecarnage2021movieaustralia...

However, I am not able to delete it.

There is no "delete" link in the "Operations" column, like it is for other nodes.

There is a "Delete item" in the "Operations" pull-down menu, but selecting it and pressing "Execute" followed by "Confirm" makes the progress indicator appear, but no item is deleted.

apaderno,
my role here is 'site moderator'. Was the permission to delete projects added to that role, or some other elevated role? (I belive you have several.)

The difference is the administer projects permission. This grants some blanket allow access to projects. In absence of that, nothing is allowing or denying delete access to projects for site moderators, so it defaults to deny.

We should be able to grant some specific delete permissions to make this work.

This should be good now.

Please remember - this is only for deleting spam and test content, and anything else specifically against policies. Other cleanups and handling requests from maintainers should still be escalated to the infrastructure issue queue.