Negative feature responseProtect the user from accidental collection deletion
A RavenDB user has accidentally deleted a collection. They intended to do something else, probably, but… They have a backup, but as you can imagine, this is a bad place to be in.
They talked to us and mentioned that they want a feature where deletion in the studio can be locked by a password or even two factor authentication, to prevent such a scenario.
We are not going to implement such a feature. From a technical perspective, this is a pretty easy thing to do, of course. My issue is that it doesn’t make sense for such a feature to exist. Let me dig into the details and explain what the problem is.
Locking deletes behind a password or two factor authentication is a security feature. That has a major impact on all aspects of the design. However, this is about preventing mistakes on the part of the user, not another security capability (this user can do deletes, this one cannot).
As such, this isn’t a security feature, but a UX one. The delete is already asking for confirmation, but it is the sort of thing that you rarely read, as we all know.
The distinction between a security feature and a UX feature is important. If this is a security feature, that means that I need to prevent doing mass deletes everywhere. As the result of queries, iterating over ids, in patch operations, etc. If this is a UX issue, that is a whole different level.
Looking at other such destructive operations, where the user is allowed to do the operation, but we want to prevent accidents leads me to consider something like this:
Where we require the user to perform some action if there is a major risk. That shifts the burden to the user, but it means that we now need to consider how to apply this.
Are we dealing with just mass deletes? What about update queries?
The purpose here isn’t to prevent the user from making the operation, but to have them stop and consider for a moment. The problem is that for common operations, that is something that you would add a significant amount of friction to your daily work.
When working on importing data, for example, it is common to delete the previous run each time that you run (think, development time, every 3 minutes). Adding hurdles along the way is a PITA.
More posts in "Negative feature response" series:
- (20 Dec 2021) Protect the user from accidental collection deletion
- (20 Oct 2021) Automatic attachment compression in RavenDB
Comments
Have you considered adding something similar to Azure's "locks" on resources? Allow users to define a lock on a resource, which prevents its deletion. That way, users can work in development environment without issues, and when they do to production, they add the required locks...
One way to consider best of both worlds for the added friction of double confirmation (stop and think hard about what you are doing) vs PITA: Utilize the "Environment" feature already in the studio.
If "environment = production", double confirmation everywhere it matters. If other environments, not so much.
Sometimes different UI features come together nicely :-)
Itay,
We actually have this feature, for databases and indexes. The issue is that here you want to do an actual operation on documents, which is too common to put a lock on.
Trev,
I think that this is something that sounds like a good idea, but will actually make life harder for users in day-to-day lives.
Oren,
It sounds even better if you consider that in a production environment, it's much less common to do this operation, and more of a problem if it goes wrong by human error (when compared to dev or test environments).
Also, production changes like this are often carried out by a different group of people than the ones that do the fast inner loop of development and testing. Friction is good in some contexts, especially when Human error can factor into it.
To be clear... I'm just talking about the "type the name in to confirm". Fully aligned on this not being a security thing.
https://issues.hibernatingrhinos.com/issue/RavenDB-17737
Comment preview