Archive or Trash: there is no delete
Webiva is a piece of software that lived for a long time as an internal tool whose users (us) at least sort of knew what we were doing.
As we both opened up the tool to other developers and began getting users with more experience who wanted to be able to do more with the system, we began to notice that certain things the system allowed you to do were a little too destructive.
One issue in particular has crept up again and again: deleting blogs.
Since Webiva allows you to create as many blogs as you like in the system (sites often use multiple blogs for Press Releases, News, etc), it also let's you delete those blogs. While most users don't have permissions to delete blogs, the permission is together with the permission to create blogs which users will often either ask for or add to their own account if they have the "permissions" permission.
At first we put this little needed feature in the top right of the blog detail page and just protected it with a confirmation popup that would post to the destroy page if confirmed:
About one week later we got a frantic call:
Client: I just tried to delete a post and I deleted my whole blog
Us: Didn't you read the popup saying, "WARNING: you are deleting an entire blog?"
Oh well, to the Backup Batman!
Ok, we thought, we already know that people don't read every warning, so all we need to do is put a little more protection in.
Our 5 minute fix was to create a separate "destroy" page that had some ugly bold text that explained that they were deleting a whole blog, not a blog post. We even put the warning popup on that page:
Deleting a blog now required 4 clicks confirming that yes, you actually wanted to delete a whole blog.
Cut to a month later or so (different website):
Client: Someone hacked my site, my blog's gone
Us: How did that happen?
Client: I don't know
...Searching through the logs...
Us: Looks like you actually deleted it this morning
Client: Oh, I remember it saying something when I tried to delete a post but I just clicked "ok" until it worked.
Backup here we come..
Sure, we thought - the problem is that the top right of the page is actually pretty noticeable, the 5 minute fix in the new design we can hide the feature so that it's only visible when a user clicks on "More" - the actual delete post functionality would be visible in the table like all the other actions.
However this week the same thing happened again on yet another site, which confirmed what I already knew but hadn't taken the time to fix properly: It's not their fault. It's ours.
We could have followed this to it's natural conclusion: adding a big warning icon, moving the blog delete to a different subpage, and so on, but I'd guess that there is no amount of protection we can put in to 100% prevent a harried small business owner from deleting a blog. We could probably incrementally decrease the proportion that do it, but since our goal is to create a foolproof self-service tool, any chance is too high.
While it seems odd that warning screen after warning screen doesn't act as a deterrent, when a user is trying to figure something out, they will follow the first scent trail they see to it's natural conclusion. If they find the "Delete Blog" button before they notice the "Delete Post" button - well they will go on down that path up until something happens.
No warning, flashing text, or videos of kittens fighting will dissuade them from their path.
The solution is not to keep putting up bigger an bigger walls, as at each step the user just gets more frustrated to the point where they are just clicking and not reading a single thing.
The solution is quite simple: you can never let the user take a single action that can't be easily reversed, either by the user or by an Admin.
In complicated systems users never really know what they are doing and just satisfice their way through. What this means is that unfortunately, as a developer you can't automatically remove deleted data from the database or the file system. It makes systems more complicated - you need to make sure you only show "undeleted" data by default, but it's really not that hard. It just takes more than 5 minutes.
The two most common ways to solve this are to use a "Trash can" where deleted content goes to die until emptied, or to add a "Archive" flag to pieces of content that doesn't remove them, simply removes them from the main Admin screen. These features are fairly easy to add in provided you account for them early in your application design.
Don't make the mistake that we did - assuming that we could kludge our way out of the problem by putting up warning screen after warning screen. It needs a real fix and the only solution is that there is no (permanent) delete option. And no, we haven't actually implemented the fix yet, but it should be available in Webiva 1.1 as we're working in adding in a system-wide trash can.