remove accounts by administrator

8 posts / 0 new
Last post
remove accounts by administrator


This seemed to be a common problem, but did not find direct solution neither in docs, nor in FAQ. I have set up tigase test server for testing, created a number of test accounts and now want to clean them up without having to do this on client site with login/delete operation (actually, I can't delete one of my accounts from client because of the wrong password or probably by another problem). Is there a simple way to do this on server site by administrator? Also, I am using simple derby db installation and for now would prefer not to migrate to mysql. I suppose Drupal integration is intended to solve such kind of problems, but it looks like it requires migrating to mysql and it also looks like a complex solution for such simple task.



You are right, migrating to Drupal, just to remove a few accounts is kind of unreasonable approach. On the other hand I would strongly advice against using Derby for production installation.
Derby support has been introduced mainly for testing/development installations and maybe for a small hobby service. By no means it is suitable for medium or large system with high traffic.

Regardless what database you use, the problem with removing user accounts stays the same. All administrator tasks are normally performed via administrator ad-hoc commands. Ad-hoc commands are created using scripting API in the Tigase server. There are a few ad-hoc commands implemented right now, like adding a new user, sending broadcast message, etc... Unfortunately there is no script (command) for removing user account.

If you can program in Python or Groovy you could possible create a simple script to remove user accounts. If you are not, then you probably have to wait until new scripts are available.



Has anything changed in this regard ? I am also interested in account removal, but not through admin scripts, I would rather do that from Java. So, how would I go about deleting an account from Java (preferably from within tigase.xmpp.impl somewhere) that is not logged in ? session.unregister(..) requires a valid session (I do not even have one) and to be authorized on top.

Thank you

I am not really sure what you mean and what you expect exactly. Admin scripts are executed within the server application which is Java application. So this is in fact Java code which performs account deletion.
tigase.xmpp.impl is by default package for "plugins". Plugins are by design processing XMPP packets within a user session context. This is to make sure the plugin/packet can perform action the user is authorized to do so.
So if there is no valid user session you do no know where this packet comes from and whether the entity which sent the packet is authorized to send such a packet.
Plugins execution is triggered by a packet of a certain type only.
What is your workflow for user deletion? What do you want to trigger this action?


Ok, here is my scenario: one user will be allowed only one account. User will usually stick to that account for years or so, however, on some occasion user is allowed to change her account, but she must follow the rule of only having one account at any time.
So, upon her account switching, there is tactically a session, valid and authorized, but not belonging to her old account - and rather to the new one. From this session, is there a way to delete her old account ?

The client will be able to provide her old account JID as a form field during registration of new account, so server will know what to delete. I would need to somehow impersonate her old account, or use an admin account for the job, or even totally bypass the Auth framework...

Hope I have made it clear now.


I think the simplest way to implement it would be to make the client to make an invisible, background connection for the old account, authenticate and unregister and disconnect from the old account.
This can be done without any interference with the new account.

Otherwise, a different approach would be to perform an admin task by some separate background job (like an admin bot) performing some database cleanup.


I have managed to do it as in first suggestion but I am afraid it may not suffice. Is there a way to temporary elevate some regular user to admin and from there to delete other accounts ?

This would be a potential security issue. The client could make a second connection as an admin and perform any admin tasks but then you would need to make the client know the admin account and password.
As an alternative solution I can suggest something else. Assuming you have a complete control over the client code you could add one extra field to the registration data like
Then you could pass this information to auth and user repository which would create a new account and delete or deactivate the old account at the same time.