What the user was doing is that they don’t trust that the system truly deleted the account, and they worry it was just deactivated (while claiming it was “deleted”). So they tried to do a password recovery which often reactivates a falsely “deleted” account.
I’ve done this before and had to message the company and have them confirm the account is entirely deleted.
Many services have a grace period. Mostly it’s 30-90 days where they keep your data, just in case somebody else decided to delete your account or you were drunk or something. But it could also be for legal reasons, like websites where you can post stuff for everybody to see, in case you post something highly illegal and the authorities need to find you. Another example is where a webshop is required to keep a copy of your data for their bookkeeping.
But it could also be for legal reasons, like websites where you can post stuff for everybody to see, in case you post something highly illegal and the authorities need to find you. Another example is where a webshop is required to keep a copy of your data for their bookkeeping.
None of these require your account to “exist”. There could simply be an acknowledgement stating those reasons with “after X days the data will be deleted, and xyz will be archived for legal reasons”.
Mostly it’s 30-90 days where they keep your data, just in case somebody else decided to delete your account or you were drunk or something
This is the only valid reason. But even then this could be stated so that the user is fully aware. Then an email one week and another one day before deletion as a reminder, and a final confirmation after the fact. I’ve used services before that do this. It’s done well and appreciated.
This pseudo-deletion shadow account stuff is annoying.
None of these require your account to “exist”.
It’s actually much more technical than theoretical. When you delete an account on a website, that is being kept for a little while longer, it merely has field in the database that gets updated. (often with a removal date as well for the automatic removal after x amount of days). This field needs to be checked everywhere the account is used. And account recovery is mostly a part where this is forgotten, or possibly not even wanted.
And to claim this as fact, I just realized that the website I work on allows recovering of banned accounts. (Removed accounts are completely removed though because we don’t need to retain any data).
This is the only valid reason. But even then this could be stated so that the user is fully aware.
Keeping the records for a little while longer is actually implied to be known. It’s in their privacy policy, and is legal.
Whether or not services should make this easier to know exactly what is happening I definitely agree. Personally I think post history without user identifiable data should also be removed, but this is even less common practice (and is why tools exist to delete all your reddit posts for example).
When you’re the reason error log messages are created…
Hoh man what a journey. And I love that this incredibly complex situation is the only reason that status would return. What a fun time debugging that would have been
The type of error where you have to give up trying to understand the user.
It’s quite simple actually: The user wanted to delete their account, but forgot their password so they requested a password reset. Before the password reset email was delivered, the user remembered their password and deleted their account. The password reset email is finally delivered and apparently some email clients open all the links in the background for whatever reason, so it wasn’t actually the user who clicked the password reset link.
apparently some email clients open all the links in the background for whatever reason
What? Really??
Yes, e.g. outlook replaces links in mails so they can scan the site first. Also some virusscanners offer nail protection, checking the site that’s linked to first, before allowing the mail to end up in the user’s mail client.
Thats why you never take actions on a GET request, but require a form with button for the user to do a POST.
It can be worse, we had to add a captcha for those link scanners cause they’d submit the forms and invalidate tokens too:(
Wow. That sounds terrible. Good to know.
Yep. Apparently outlook does this and afaik because some kind of link sniffing/scam detection/whatever, but it does it by changing the first characters of each query argument around.
We spent amazingly long time figuring that one out. “Who the hell has gotten Microsoft service querying our app with malformed query args and why”
Yeah that error status code seems like an odd way to reflect such a scenario.
Trying this every time I need to delete an account
Immediately sue them for
DSGVOGDPR
I might be the one hitting that link just to see what happens.
“Let’s see how good their testers are.”
Now the dev doesn’t need to comment this part of the code, saves him time.
Day 492 of predicting edge cases…
You mean odor?
Sorry typo
Man, actually seeing this in a wild log would make my day.
I can tell by the error msg this wasn’t an error before and was the cause of much grief
How’d they know it was a he
Maybe there’s a specific person who keeps doing this and they wrote this error specifically for him.
Come on Dave sort yourself out.
You know this is a porn site then! 😂
You bitwise OR into the higher end bits the user id, in which you have already encoded the user’s gender. (For which you have a util method to extract. )
What the hell kind of second-rate DBMS doesn’t encode gender into its primary keys SMDH!!
Don’t be silly; it’s obvious that there are different error messages for each gender expression. Error logs need to be detailed and specific in order to be useful.
They were talking about me. They got my pronouns wrong. It’s ok though, because they will have many more opportunities to get it right.
I like seeing instances where people have used “she” as the generic pronoun.
PEBKAC.
definitely a case of the PEBKAC
Removed by mod
