[openstreetmap/openstreetmap-website] User account self-deletion allows bad actors to delete and recreate the same account name to "lose" changeset discussion and block history (Issue #4018)

[SomeoneElseOSM]

For info, another example of this can be seen at https://www.openstreetmap.org/user_blocks/15138  .  They had a previous user with the same name which was blocked a number of times (for essentially fantasy mapping) up to https://www.openstreetmap.org/user_blocks/5638 but then "deleted and recreated their account with the same name" and continued on regardless.

Two reasons for not closing this loophole were given above, for [privacy](https://github.com/openstreetmap/openstreetmap-website/issues/4018#issuecomment-1518812097) and [workload](https://github.com/openstreetmap/openstreetmap-website/issues/4018#issuecomment-1576811268) reasons.  Both of these can be addressed:

With regard to the first, would it help if I discussed potential privacy issues with the LWG (with a DWG hat on if it helps) to understand whether there are any privacy blockers here?  I'd be surprised if there were since we're not saying that users should not be able to have their accounts deleted, just that those who are currently blocked should not be able to do it via self-service?

With regard to the workload issue I'm sure that that could also be addressed - "requests for account self-deletion" could be reviewed by a wider pool of people, perhaps including from the DWG (who are likely the people who blocked them in the first place).


-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4018#issuecomment-1746990870
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4018/1746990870 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231004/32577b77/attachment-0001.htm>