[Discussion] User self-deletion procedures

Question

[Discussion] User self-deletion procedures

iansltx opened this issue 6 years ago · 3 comments

Right now, to delete themselves users have to either request deletion via a contact form that doesn't authenticate them, or else hit an API endpoint that we'll be stripping non-admin permissions from.

Copying from chat discussion on this by @zghosts: The simplest solution for now is to add "request deletion" and dissallow self-deletion both through the api and the ui, that would cover the legal requirements for GDPR in terms of "the right to be forgotten".

A further expansion would be to self-delete with a quarantine period, representing as an anonymous user in the ui, before being permanently deleted and anonimised after a week or two or manually by an admin.

Question is what which steps we want to take here, what exactly that looks like, and when those steps get taken, given that the contact form method, though manual, is technically sufficient, particularly given that admin-based user deletion fully works.

Answer 1 · 2019-02-06T21:38:13.000Z

IMHO
Short term solution: Disable self deletion via API
Long(er) term solution: pair UI & API functionality to allow users to delete themselves according to whatever guidelines we decide in this thread.

Answer 2 · 2019-02-06T21:38:38.000Z

Okay; closing joindin/joindin-web2#756 as a result of this.

Answer 3 · 2019-02-06T21:44:22.000Z

See also: https://github.com/joindin/joindin.github.io/blob/master/GDPR.md