A friend of mine aliased the rm filename Unix command (remove a file) to always execute as
rm -i filename to inquire if he really wanted to remove the file, thinking it would be safer; more difficult to accidentally delete a file. He got so used to just hitting ‘y’ that – you can guess the rest.
Right. A few rules I use:
- the right thing should be easy.
- the hard thing should be less easy. This is not accomplished by making things intentionally difficult, but by making right things easier and wrong (or dangerous) thinks require the investment of user time to specify what they want to do.*
- destructive things should be made undoable. I know a lot of people who alias rm to rm -i; never seen it work. I wrote a simple ruby script that just moves the file to the .Trash folder, and appends a numeric suffix in case of a name collision. Provides a simple undo.
- consistency is good. Don’t make the same delete command remove a file from one volume immediately, without undo, and on another volume just move to .Trash. Are you sure? doesn’t make this behavior better; it makes it worse.
(and click here are the two most evil words on the www, but that’s another rant)
On a similar note, when has the response to an OK message box ever been OK? It’s usually Hell, no, it’s not OK, but that’s never an option.
- The specification part does not mean, ask for confirmation. It means require the user to say what they mean. You want to perform a file op on a file in a folder, recursively, rather than just one file? Make the user specify
-R for recursion. You want to delete immediately instead of moving to .Trash? Make the user specify immediate deletion.
Which brings up admin accounts: The whole make-it-easier/ make-it-difficult might fall down for the idea of administration. Admins do the path you don’t want done. Wipe a disk, remove folders, change accounts - do you really want to make their lives difficult? Should everything the administrator do be made difficult?
Nope, just safer and more explicit. As an example, it used to be trivial in many *nix systems to specify overlapping start and end values when partitioning a system, resulting in corrupt disks. Now, most systems don’t permit you to use an overlapping value.
Similar logic can be applied elsewhere. I often run into issues where after Joe leaves the company and his account is removed, there’s one file on his local drive that someone forgot to get, and now it’s gone. Maybe removing a user account and folder should include a backup files to… required default, that requires the admin to specify nope, remove without making the backup.
Not more difficult, so much as more explicit. And not ask are you sure. That’s one of the biggest things wrong with UAC; it’s a giant are you sure message box, acting as a last chance workaround for busted code.