Delete user don't delete the messages...

010101

Pherinos I can confirm this is the current behavior for user deletion. Your post here actually prompted me to write this post: https://discuss.flarum.org/d/22185-user-management-update

clarkwinkelmann

We have an issue for this flarum/core1928

Related, the spamblock extension has an option to soft-delete all posts before suspending a user https://discuss.flarum.org/d/17772-friendsofflarum-spamblock

010101

clarkwinkelmann Ah, ok. So I guess maybe in a lot of situations it’ll be best to use the spamblock extension and suspend the user instead of using the built in delete user... unless the built in delete functionality gets better.

010101

In another thread I was reminded about the spamblock extension. Until the built in delete user functionality gets better, it’s probably best to “suspend” users with this extension instead of “delete.” Unless you get a GDPR type request from a user...

clarkwinkelmann Related, the spamblock extension has an option to soft-delete all posts before suspending a user https://discuss.flarum.org/d/17772-friendsofflarum-spamblock

clarkwinkelmann

010101 yes. it depends on the intent of course. I would always suspend spammers and rule breakers because that way they can't create a new account.

But in case of GDPR-like scenarios there might be situations where permanent delete is the objective. And yes sadly there's no existing option for that currently. An extension could easily add that feature though.

Pherinos

@clarkwinkelmann
Due to the problem of posts that remain with the status [deleted], the display also poses a problem for "normal" users.
In the posts table, the user_id is set to NULL, so if you have several users deleted, you can't rely posts to a specific user...

So I decided to pass the following SQL query, and everything goes in order, and the messages are erased according to the GDPR.
DELETE FROM posts WHERE user_id IS NULL

This is the radical solution.

A more complex solution to develop:

Delete a user "logically" instead of erasing it from the table, put it a special erased status.
Do not fill the user_id field of the posts with NULL value but leave the user_id and put the message in erased status which will not be displayed any more but which will remain in base (logical erasure).
Provide for GDPR a physical erase function with 'DELETE FROM ...' in conjunction with user_id and posts table.

What do you think of that? Is it possible?

clarkwinkelmann

The problem with soft-deleting users right now is that Flarum expects all users to have a valid email address.

If you delete a user for GDPR reasons, then most likely you want to remove that email. Just allowing null would probably cause multiple issues with what Flarum expects at the moment. If you also want to remove the username, then there's no longer any way to visually link posts to a deleted user anyway.

I'm not sure how we want to handle that, and it's probably not a priority right now given there are other, more manual solutions.

An extension could easily create some kind of users with deleted private info.

Regarding the mass deletion of posts, I think it's also best left to an extension for now.

Pherinos

clarkwinkelmann OK
This is not a priority indeed.

matteocontrini

Messages on a forum aren't necessarily personal data that should be deleted under GDPR. For example, when you post something on StackOverflow you are transferring the ownership of the content you write to StackOverflow. When you delete your account, the content stays there without your profile name, and this is still GDPR compliant.

tankerkiller125

matteocontrini If your sharing it publicly it probably doesn't fall under PII data so I agree with this assesment, the only thing that would need to be deleted is Phone numbers, email, username, etc. published data not so much.

Pherinos

matteocontrini Messages on a forum aren't necessarily personal data that should be deleted under GDPR.

Yes, but in France, we have previous laws still in force that allow a user to request the erasure of any data that he has also written ... Only logs that are not accessible except to admins are not concerned, on the contrary, the law requires to keep them for 3 years!

bkolobara

If I remember correctly, in previous versions of Flarum if you deleted the user it would also delete all posts of this user. But now it looks like this behaviour changed. Even the message, when you click on the delete button, still warns you that this action will delete posts and discussions. It just doesn't happen.

Is there still a way to delete all posts?

jordanjay29

bkolobara Merged this into the existing discussion on it, with answers that are still current.

askvortsov

bkolobara The misleading message will be fixed in the next release. As to options on what to delete/not delete, that's something that, I believe, there is not yet full consensus on.