I think the rule should be that a user should not be allowed to delete his/her own account.

Well we have a config option for this:

# --- account delete -----------
# Allow users to delete their own accounts
$g_allow_account_delete     = OFF;

My guess is that we are behaving properly from the My Account section but not in the Manage Users section. We just need to copy the behaviour from one to the other.

I'm actually not sure whether administrators should be limited by this config option but they should definitely be warned that they are deleting their account and asked to confirm. And if they do delete it, we should definitely log them out properly.

I think we should extend the config option to admis also. Here is my reason.

I think there should be a check to see if there is atleast one admin left in the system then that admin should not be allowed to be deleted. Because if he gets deleted and there are no other admins left, then it becomes difficult to manage Mantis from within the application. I know there is a way to add an admin user to the tables by going thru the tables directly, but I think it would be elegant to not go thru backdoors. So if we extend the same config option to Admins then we dont have to check each time an admin is deleted whether he is the last one thus eliminating the need for a backdoor approach to add an admin if all admins are deleted somehow.

I'd still rather allow admins to delete themselves the same way as everyone else, and if a user can delete other user's accounts they should certainly be able to delete their own. But adding a check to make sure the last admin account isn't deleted is probably a good idea.

So is there any plans to do this in the next version or was it decided that it was a minor thing that can wait ?