Group deletion job never successful if deleting user removed before job runs
Problem to solve
A group can be scheduled for delayed deletion by a user, then that user's membership to the group can be removed before deletion occurs. In that case, the deletion job will run unsuccessfully, every day, forever.
Proposal
If a scheduled group deletion job finds that the triggering user has been removed from the group, the job should be deleted.
This proposal is not perfect because generally, if an action is permitted, then its results should be permitted. This proposal represents an exception to that rule: an action is permitted, then the results are not. We believe this is appropriate because the results are highly destructive. A highly destructive result should not occur if there is any indication it is malicious or mistaken.
This proposal is also not perfect because the deletion job is silently deleted. In a future enhancement we may introduce some sort of admin notification for this circumstance.
Related links
- This problem was identified by @ifarkas in !19679 (comment 258601181)
- The same problem exists with projects: #39204
Further details
The issue requires addressing 2 problems:
-
Delete group only if the deletion user has access to the group while the actual deletion occurs
While deleting a group via adjourned deletion, we do not currently check whether the user has access to the group. Implying groups are deleted with no right access and could be serious problem in certain cases - for e.g. an employee schedules their Organization's group for deletion before leaving the company, and the group gets deleted even after the employee was removed from the group.
Before deleting the group, the projects within the group are deleted.
In the event that a user was removed from the group, the deletion of the projects within the group will fail, causing the
DestroyError
exception to be raised.Since
DestroyError
is a type of StandardError, the job will fail silently. This will repeat everyday. And, the groups following this record, will never be deleted.Resolution:
- Prevent deletion of a group only if the deletion user does not have access to the group
- Handle exceptions raised within the job (
DestroyError
)
-
Prevent scheduling the group deletion everyday, if the deletion user has been removed from the group
Resolution:
When the deletion user is removed or leaves the group, also delete any associated
group_deletion_schedule
record.