[openstreetmap/openstreetmap-website] User account self-deletion allows bad actors to delete and recreate the same account name to "lose" changeset discussion and block history (Issue #4018)

Sat Apr 22 15:57:35 UTC 2023

### URL

https://github.com/openstreetmap/openstreetmap-website/pull/3398

### How to reproduce the issue?

There have been a number of recent examples of the following sort of activity, but lets give a specific example:

A user account was created with a name "francisdouglas88614" to "force through" some changes that they local community decided were not correct.  The UID was 19014237, and due to it being a problematic returning vandal they were reverted and blocked until they contacted the DWG with https://www.openstreetmap.org/user_blocks/7071 (see previous messages in that chain of blocks for the history).

They then delete that account, and create another one - francisdouglas88614 / 19021744, and try and force through their changes again.  They were reverted and blocked with https://www.openstreetmap.org/user_blocks/7074.

They then delete that account, and create another one - francisdouglas88614 / 19031302, and try and force through their changes again.  They were reverted and blocked with https://www.openstreetmap.org/user_blocks/7077.

This is just 1 username here; there are at least 9 or 10 others.  I don't believe that it is unfair to "name and shame" this account as this user has been widely discussed [elsewhere](https://community.openstreetmap.org/t/odd-edits-in-italy/97706).

Basically, this is pretty much as predicted by https://github.com/openstreetmap/openstreetmap-website/issues/1853#issuecomment-387682751 .

In additions to previous problems noted such as https://github.com/openstreetmap/openstreetmap-website/issues/3585 .

To be clear, the idea behind https://github.com/openstreetmap/openstreetmap-website/pull/3398 absolutely makes sense; but we should prevent it from being used by bad actors as it currently is.  There may of course be reasons why a long-term-blocked user should be able to delete their account, and they can always ask the admins to do that.  What I'm suggesting is that a user shouldn't be able to engage on vandalism, get caught, delete their account and repeat the process ad infinitum.

### Screenshot(s) or anything else?

n/a

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4018
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4018 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230422/e6004c8a/attachment.htm>