Page MenuHomePhabricator

Investigate or work on how to make Diffusion repositories deletable via web interface
Open, LowestPublic

Description

Deleting Diffusion repositories via web is currently disabled:

If you really want to delete the repository, run this command from the command line:
phabricator/ $ ./bin/remove destroy <repo_callsign_or_R####>
Repositories touch many objects and as such deletes are prohibitively expensive to run from the web UI.

I feel we should investigate if we could, maybe, ease the DB transactions or make jobs run in background, etc. to make repo deletion avalaible via web.

Event Timeline

MarcoAurelio renamed this task from Make Diffusion repositories deletable via web interface to Investigate or work on how to make Diffusion repositories deletable via web interface.Nov 16 2017, 9:41 AM
Aklapper triaged this task as Lowest priority.Nov 16 2017, 11:40 AM
Aklapper edited projects, added Phabricator (Upstream); removed Phabricator.

Deleting Diffusion repositories via web is currently disabled:

There's no setting AFAIK, like for many other things (e.g. you cannot delete a user account via the web interface), and it does not sound like a very common action.

epriestley added a subscriber: epriestley.

This guidance is out of date and a bit misleading. I filed https://secure.phabricator.com/T13364 upstream to update it.

Although the actual deletion cost was once prohibitive, Phabricator now has a lot of tools for doing slow/background operations.

In modern Phabricator, this operation is explicitly not permitted because we (mostly) don't let you delete anything from the web UI, so this is a product issue rather than a technical issue. I don't expect this to change in the upstream, and we're generally going the other way (gradually removing older workflows which let you permanently destroy data and/or don't leave an audit trail, and replacing them with append-only workflows).

If you want to support irreversible destruction of data from the web UI on this install you can follow the pattern in PhabricatorFileDeleteTransaction:

  • Use PhabricatorWorker::scheduleTask(...) to queue a destruction task.
  • The task should be a subclass of PhabricatorWorker, similar to FileDeletionWorker.
  • Have that task call PhabricatorDestructionEngine->destroyObject($repository) on the object.

(The ability to delete files is inconsistent with other modern product practices and will probably be removed at some point, but the underlying worker + task queue pattern is very unlikely to change.)

The major concern with doing this is that if an attacker compromises an administrator account, access to permanent data destruction operations may allow them to do much greater damage than they otherwise could. Of course, you may be comfortable with this risk in this context.

Note that this doesn't actually remove the repository on disk -- when run interactively from the CLI, the command advises you of this:

'Database records for repository "%s" were destroyed, but this '.
'script does not remove working copies on disk. If you also want to '.
'destroy the repository working copy, manually remove "%s".',

This is mostly a "please please please don't hold us responsible if you destroy something important, we made you confirm a prompt with a giant red skull covered in danger symbols" kind of thing rather than a technical limitation.