What logic is executed to determine if a user can "delete" a post?

OwenMelbz

I understand there's both soft deleting/hiding and hard deleting/perm delete.

However I'm tyring to code dive to find out what actually drives both these two permissions?

I've tracked down the DeletePostHandler which I assume gets called when the DeletePostController get hit, however we cannot find the logic that handles if the user has permission to actually do this?

We've got some scenarios where users are unable to hard delete comments, and potentially sometimes soft delete..... however we run headless for our app so need to understand how to make our UI understand the permissions and flow, e.g. If 10 mins have passed, and 5 users have mentioned the post, can it still be deleted? Or does it need soft deleting before hard deleting? etc

Thanks

SychO

OwenMelbz The logic for hiding is here: https://github.com/flarum/framework/blob/main/framework/core/src/Post/Access/PostPolicy.php#L72

deleting does not have a policy method, so it falls back to the database permission posts.delete meaning that if a user has the permission, they can delete any post (by default this used for moderation purposes only).

You can add logic for permanent deletion using a PostPolicy of your own that has a delete method.
https://docs.flarum.org/extend/authorization#custom-policies

OwenMelbz

SychO

Thanks for the heads up, much appreciated.

So we've noticed that normal users are able to first soft delete their post, then hard delete their post. But within the Permissions area of the admin only admins/mods have permission to "Delete posts forever"

I cant see any posts.delete permissions in the database for anybody, so bit confused to whats happening, any ideas?

SychO

sorry it's discussion.deletePosts it'll only appear in the database if assigned to a group other than admin

OwenMelbz

SychO Ah right i see i see thanks, so does that mean that regular users should not be able to perm delete?

SychO

By default it's only offered to moderators, but it's up to you if you wish to introduce it through an extender.

OwenMelbz

SychO Oh this is odd, all our members are able to perm delete...... we've not knowingly enabled this!

Are you able to see what we might have changed here thats allowing regular members to perm delete? (black/purple/red are forms of admins/mods)

SychO

OwenMelbz all our members are able to perm delete

perm delete only their own or any posts? (both shouldn't be possible by default).

OwenMelbz Are you able to see what we might have changed here thats allowing regular members to perm delete?

No, permissions look right, I'd look into what custom code/extensions you have.

OwenMelbz

SychO Can only perm delete their own ones, the API response comes back with canDelete: true on all their own posts.

Very odd.. We're not running any extensions that I can see that would mess with it, I believe there's only 2 thats blocking users, and admin impersonate, i wouldnt have thought either of them would change it?

SychO

OwenMelbz Sorry I really can't easily tell. I don't think it's either of those extensions, perhaps any custom code you have implemented?