Deleting a user should anonymize all entries

When deleting a user, all its associated wiki changes / comments / etc. needs to be anyonmized according to DSGVO / GDPR

Steps to reproduce:

  1. A creates a wiki page W1
  2. B creates a wiki page W2
  3. A changes the wiki page W2
  4. A. adds a comment to wiki page W3
  5. Admin deletes user A

After step 4: W1, W2 and W3 will somehow have a association to user A (new page, edited page, comment)
After step 5: A is still in the history of W1, W2 and W3

Expected: the user should be completely anonymized according to DSGVO / GDPR

Someone know if this is possible, can be configured or is a feature request?

That would be a feature request. The way to implement something like this is generally to listen to deleted documents events in a listener and cleanup related metadata (which is already done for users but only for rights and group members and not for document authors).

1 Like

Note that there are some companies sponsoring the development of the XWiki open source software and I’m sure you could contact them to ask to sponsor this feature in XWiki if you need it anytime soon and you cannot develop it yourself (we’d love it if you could contribute it!) :slight_smile: That would definitely help XWiki!

See https://www.xwiki.org/xwiki/bin/view/Main/Support#HProfessionalSupport

1 Like

I would be interested to have a look how difficult this is to implement for my own. Can someone give me some hints and tell me some sections / files on which I should have a look on it?

As I said, its about DSGVO / GDPR, so, not something which can be ignored when running a xwiki in a company.

Thanks in advance.

The existing cleanup I was mentioning for right and groups is located in https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/plugin/rightsmanager/RightsManagerListener.java. Document author cleanup could go in there too I guess.

A probably better alternative would be to reuse the author switch system which is currently triggered when you deleted a user with programming right (so that the documents this user authored don’t end up broken when they contain scripts). It would make sense to me to have an option to ask this question for all deleted users and not just PR ones. See https://jira.xwiki.org/browse/XWIKI-12142 for more details about this features

I guess, changing the author is not what should be done in this case. The author should be anonymized.

Additionally, all other places in which the deleted user is stored need to be anomymized, like comments, changes to a file, History, etc.

Is this something which should be done with the RightsManagerListener.java or better to use the XWIKI-12142 approach?

It’s the same thing. The document always have an author, you would just choose the guest user (or some other virtual user we could introduce specifically for that) if you don’t want a specific one.

As I said for me the best is to complete the already existing user deleting process to add support for the anonymization use case since it should not require much.

Thanks @tmortagne

some more questions:

  • what about API? If you delete a user by API, is such a process to choose another user already implemented for the XWIKI-12142 use case?
  • I guess, there should be a “anonymous” user which will be used automatically because I don’t think that it does make sense to switch the author of comments to a real user
  • do you have an idea about the process to choose another user if you delete a user should look like? Would this be a checkbox in the delete user UI? Or a general setting?

There is no dedicated delete user API currently, you delete the user page which is technically the same thing for XWiki right now (since a user is a wiki page).

Yes we do have this kind of user already (called “guest” or “unauthenticated user” in the UI).

I guess something like a radio button choice between “anonymous” or “select another user” with an input like we current have for PR user delete would do it but not really the UI expert here :slight_smile:

Would it be also possible to fix the issue by running a SQL update after deleting the user?

…just because of this GDPR, which specifies that user data needs to be deleted if there is no need for that data any longer. Would be interesting, how this is done by other companies / authorities as they have the same issue with the right to be forgotten.

As I said we already have code existing to modify all the documents associated to a specific user (and it’s not as simple as a SQL update since there is various things involved in the modification of a document). On script side the is a changeDocumentAuthor API in the refactoring script service or on java side you can directly use the REPLACE_USER job. See https://github.com/xwiki/xwiki-platform/blob/xwiki-platform-12.8/xwiki-platform-core/xwiki-platform-refactoring/xwiki-platform-refactoring-api/src/main/java/org/xwiki/refactoring/script/RefactoringScriptService.java#L527.

Is there an update on this?

I guess, a lot of companies / organizations will switch from confluence to xwiki in the next months because of the change of confluence how they sell their product.

They may ask the same questions of how xwiki handles “Art. 17 GDPR Right to erasure (‘right to be forgotten’” (DSGV: Recht auf Vergessenwerden).

Does the newer versions of Xwiki improve the GDPR / DSGVO in this point?

No work was done on this AFAIR. It’s not an easy topic and ATM it’s not on the roadmap, see Roadmap (XWiki.org)

What we have is https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/11.8/#HReplaceAuthorwhenDeletingUsers which is a step in the right direction. It just won’t change past history though.

Also changing a user page title should be easy but changing a user id is harder.

For now, I guess you could modify directly the DB if you’re careful enough but not sure how easy/hard this is for the JRCS records (history).