Group deletion job never successful if deleting user removed before job runs

Problem to solve

A group can be scheduled for delayed deletion by a user, then that user's membership to the group can be removed before deletion occurs. In that case, the deletion job will run unsuccessfully, every day, forever.

Proposal

If a scheduled group deletion job finds that the triggering user has been removed from the group, the job should be deleted.

This proposal is not perfect because generally, if an action is permitted, then its results should be permitted. This proposal represents an exception to that rule: an action is permitted, then the results are not. We believe this is appropriate because the results are highly destructive. A highly destructive result should not occur if there is any indication it is malicious or mistaken.

This proposal is also not perfect because the deletion job is silently deleted. In a future enhancement we may introduce some sort of admin notification for this circumstance.

Related links

• This problem was identified by @ifarkas in !19679 (comment 258601181)
• The same problem exists with projects: #39204 (closed)

Further details

The issue requires addressing 2 problems:

1. Delete group only if the deletion user has access to the group while the actual deletion occurs

   While deleting a group via adjourned deletion, we do not currently check whether the user has access to the group. Implying groups are deleted with no right access and could be serious problem in certain cases - for e.g. an employee schedules their Organization's group for deletion before leaving the company, and the group gets deleted even after the employee was removed from the group.

   Before deleting the group, the projects within the group are deleted.

   In the event that a user was removed from the group, the deletion of the projects within the group will fail, causing the DestroyError exception to be raised.

   Since DestroyError is a type of StandardError, the job will fail silently. This will repeat everyday. And, the groups following this record, will never be deleted.

   Resolution:

   • Prevent deletion of a group only if the deletion user does not have access to the group
   • Handle exceptions raised within the job (DestroyError)

2. Prevent scheduling the group deletion everyday, if the deletion user has been removed from the group

   Resolution:

   When the deletion user is removed or leaves the group, also delete any associated group_deletion_schedule record.