Support ⇒ Explain Please ⇒ How to delete a user? (GDPR) ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexExplain Please

How to delete a user? (GDPR) Reply to topic


Can someone clarify the recommended method for deleting (not suspending) a user? It's something I'm rarely asked to do but with GDPR looming I want to make sure it's handled properly. Way back in the mists of time I seem to recall user deletion was a little flaky in DF and someone developed a plugin to make it more robust but I'm not sure what the current state of play is. Any thoughts (or code for 9.2.1) greatly appreciated!

Note: WWW Private Listing - Staff Only

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux/Apache 2.4.27/MySQL 10.1.26-MariaDB/PHP 5.2.17/Dragonfly 9.2.1


As of today we don't support user deletion, and talking about the plugin it did created database issues which had to be corrected by the installer when upgrading.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.7 / PHP 7.3 / head


Thanks for the reply. So, if we do need to delete a user (which is definitely the case), what would be my best way forward here? I understand that it's not something officially supported, just need some pointers I think.

Note: WWW Private Listing - Staff Only

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux/Apache 2.4.27/MySQL 10.1.26-MariaDB/PHP 5.2.17/Dragonfly 9.2.1


The problem of forums is that people quote other people.
Therefore when you want to delete an account you must look everywhere and start anonymizing quotes.
So, there you have it. You can't easily Smile

But.... GDPR is not about nicknames (unless someone was stupid enough to use his personal name).

The only thing that remains is that you must make it impossible or impractical to connect personal data to an identifiable person.

TODO:
  1. change/scramble the user nickname (if you like, not GDPR issue in general but good idea)
  2. remove his uploaded avatar (if you like, not GDPR issue in general)
  3. change/scramble the user email address (if you like, not GDPR issue in general)
  4. change/scramble personal data (this is GDPR issue, if you collect any, most don't)
  5. now suspend his account

Good read: iapp.org/news/a/lookin...ymization/


More important
Your website must be SSL (or at least the login).
If you don't have https you're screwed anyway (deleting users is your least concern).
Just don't collect personal data (first name, last name, localization, etc.)

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Wed Mar 28, 2018 5:28 pm; edited 8 times in total


Thanks for the reply. Most of that we actually do already (which is good, I'm glad we've been operating along the right lines) but in terms of our specific situation we do actually need to collect personal data and in addition to the impact GDPR is going to have we also have the administrative task of dealing with people who ask for their accounts to be deleted and then would complain if we didn't address the issue of their forum posts still being visible. I don't see quoting being an issue in practice here really, as long as users see that their own posts have been deleted (even if quoted elsewhere) they're generally satisfied.

I suppose what I'm saying is if we carry out the tasks just listed, i.e.

change/scramble the user nickname (if you like, not GDPR issue in general but good idea)
remove his uploaded avatar (if you like, not GDPR issue in general)
change/scramble the user email address (if you like, not GDPR issue in general)
change/scramble personal data (this is GDPR issue, if you collect any, most don't)
now suspend his account

and then use a sql query to remove a particular user's posts from the forum (which we've done previously for frequent posters rather than manual removal of one or two posts) then that's probably just about all we need to do...apart from think about (only sent?) PMs possibly, which users will probably also expect to be removed if they request complete removal of their data from our systems. Leaving that last issue aside though, I don't understand the internals of DF enough to appreciate why the previous steps (or genuine account deletion rather than scrambling) can't be automated at the click of a button but clearly there's more to it than meets the eye.

Note: WWW Private Listing - Staff Only

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux/Apache 2.4.27/MySQL 10.1.26-MariaDB/PHP 5.2.17/Dragonfly 9.2.1


What about broken links pointing to the deleted user's content such as forums, news, media, downloads, or any third party module's thread/insert/comment... gees I hate broken links, and so search engines do.

If all resources had a template to stick to it, it might work... and if each module/plugin provides a class method to delete it's own user content?

Honestly we do say
We are not responsible for comments posted by our users, as they are the property of the poster.
and only with v10 is possible to really stick to it.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.7 / PHP 7.3 / head

Last edited by NanoCaiordo on Wed Mar 28, 2018 7:11 pm; edited 2 times in total


Sure, I mean I take the point but it's an imperfect world and most things involve a degree of compromise when there are competing priorities. Not deleting stuff (or being able to do so easily) when reasonably requested to do so due to a fear of broken links/negative seo feels a little bit like the tail wagging the dog - but that's from my perspective as a site owner with a specific set of installed modules etc, I get that as a developer you need to be able to cater for all possible configurations and scenarios which may make what feels straightforward to me virtually impossible to offer in practice.

Note: WWW Private Listing - Staff Only

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux/Apache 2.4.27/MySQL 10.1.26-MariaDB/PHP 5.2.17/Dragonfly 9.2.1


Hi macavity,

i now reply on your post dragonflycms.org/Forum...tml#159621

Now you ask me to delete all your posts so i run
DELETE FROM cms_bbposts_text WHERE post_id IN (SELECT post_id FROM bbposts WHERE poster_id = 896); DELETE FROM cms_bbposts WHERE poster_id = 896;

Now, someone tries to read this topic for important info and asks himself:
"Hey DJ Maze, replies to macavity but i can't see macavity's post.
Am i going nuts here?
Does the website have a bug?
Why does the topic say 30 replies, but only 4 are visible?".

Not to mention threaded News comments that go whack!

Just do:
UPDATE cms_bbposts_text SET post_text='removed by admin on request' WHERE post_id IN (SELECT post_id FROM bbposts WHERE poster_id = 896);

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Thu Mar 29, 2018 3:10 pm; edited 4 times in total


A better solution, definitely - many thanks!

Note: WWW Private Listing - Staff Only

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
linux/Apache 2.4.27/MySQL 10.1.26-MariaDB/PHP 5.2.17/Dragonfly 9.2.1


In v10 source i've implemented this and some more.
See commit bitbucket.org/dragonfl...9860e67a40

It's not finished as it needs to:
  • delete all user uploaded files
  • modules need to implement the
    \Dragonfly\Identity::hookEventListener('delete', 'callable function here');

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Sat Mar 31, 2018 12:50 pm; edited 5 times in total

All times are UTC


Jump to: