Drupal core offers a setting for site builders (to which the "Site Manager" role has access) to configure what should happen if a user cancels their account (block the account and keep content, block the account and unpublish the content, delete the account and move content to anonymous user, or delete the account and delete the content).

However, by default Open Social gives all authenticated users the choice to overwrite this setting which could lead to data loss (e.g. configured to block and unpublish but the user says to delete all). Major priority due to possible data loss. The permission itself is also marked as having security implications.

Proposed Resolution

Revoke the "Select method for cancelling own account" for Authenticated Users.

Comments

Kingdutch created an issue. See original summary.

jaapjan’s picture

jaapjan commented
Priority: Major » Normal
jaapjan’s picture

jaapjan commented
Category: Bug report » Task
tbsiqueira’s picture

tbsiqueira
He/him
commented
Status: Active » Closed (outdated)

Only admins have this permission, this ticket is outdated