search

nopSolutions / nopCommerce

ASP.NET Core eCommerce software. nopCommerce is a free and open-source shopping cart.
https://www.nopcommerce.com
Other
9.09k stars 5.2k forks source link

GDPR: customer ip addresses saved in logs #7155

Closed Manuel-Innovapps closed 2 months ago

Manuel-Innovapps commented 2 months ago

nopCommerce version: 4.60.x +

Steps to reproduce the problem:

  1. Disable setting customersettings.storeipaddresses
  2. visit the store, and produce a log message that is associated to a customer. (i.e. with the following http status codes: 400, 404, 500)
  3. visit the logs in the backend, open the details page of the produced log message
  4. You will see the email of the customer with a link to the customer detail page and additionally the IP address of the customer.

Based on the GDPR this is not allowed, as with this log file the displayed IP address can be directly associated with the customer.

Proposed solution: If customersettings.storeipaddresses is disabled, IP addresses in the logs should not be stored for registered customers (or even any customers).

https://github.com/nopSolutions/nopCommerce/blob/8ad98f390753bce78fed8cdc6f712ffdb513fe2b/src/Libraries/Nop.Services/Logging/DefaultLogger.cs#L191-L201

AndreiMaz commented 2 months ago

@Manuel-Innovapps You've written "1. Enable setting customersettings.storeipaddresses". But in this case IP addresses will be store in the [Customer] table as well. Did you mean "1. Disable setting customersettings.storeipaddresses"? So when disabled, then IP address should not be stored in [Customer] and [Log] tables?

Manuel-Innovapps commented 2 months ago

@AndreiMaz I'm sorry for the confision, this is exactly what I meant.

They should especially not be stored in logs, if a customerId is passed. But I think generalizing to all logs should work out just fine.

skoshelev commented 2 months ago

Closed #7155