securedrop
securedrop copied to clipboard
Allow for removal of "pending" source accounts
Description
When a source account is created but before a first submission, by default a "pending" flag is set. Pending accounts are not displayed in the journalist interface.
If a user then exits their session and never returns to provide a submission, the account will remain in a pending state indefinitely, and cannot be removed via the Journalist Interface. On long-running high-volume instances this increases the source user count significantly, requiring admin intervention to fix.
One approach to allow for the removal of unused source accounts would be to change the pending
boolean flag to a datetime value, and purge unused accounts via a cronjob or similar after a set time (say, a month). This has the disadvantage of increasing metadata (source account creation time) about prospective sources, though the field could be set to null
on submission, meaning that said metadata would not be stored for sources that were actually ever active. This could be mitigated somewhat by giving the datetime a resolution on the order of days or weeks.
Alternatively, the fact that active source sessions without submissions would be nuked when the purge ran could just be accepted.
Note that this would be moot if/when inverted flow changes land, as accounts would then only be created on first submission. So it might not be worth the effort if it was just a temporary measure.
User Research Evidence
long-term observations of instance behavior...