openeuropa / oe_authentication

The OpenEuropa Authentication Drupal module allows to authenticate against the European Commission login service EU Login (ECAS)
Other
14 stars 11 forks source link

Delete user #184

Open jvalleva opened 6 months ago

jvalleva commented 6 months ago

The client has asked us to delete (not just block) a certain user. We are using oe_authentication and we have seen that it blocks this possibility. We wanted to confirm with you if this is a security restriction or if we can create a patch to remove that limitation? Please can you explain the security reasons for this limitation? Thanks!

kiwimind commented 5 months ago

Came here to ask the same question, however ours is more along the lines of needing to delete a lot of spam accounts.

Also we seem to have some sites with this enabled and others without, so I'm wondering what benefit this module brings.

jvalleva commented 5 months ago

Hello again, Any answers to these questions regarding the limitations of deleting users? We must eliminate users, for this we are forced to create a patch that removes this limitation, but we need to have confirmation that we are not bypassing any security restrictions.

jvalleva commented 5 months ago

Hello again, Any answers to these questions regarding the limitations of deleting users?

catalinvlad-tremend commented 5 months ago

Hello @jvalleva,

We also had this issue on our projects and we created a patch to check also for a permission since user 1 is usually blocked on production. oe_authentication.cancel_account.patch

I think you can find some answers here #79

kiwimind commented 5 months ago

Thanks for the link @catalinvlad-tremend

The answers on that thread really are unsatisfactory, especially due to GDPR concerns. Account holders have a legal right to ask for their information to be removed from a site. There is no way, other than user1 or having to amend existing functionality, to provide a method to delete users.

I don't know why this decision was made on this module. Personally I would have added it as an optional feature on top of core, not a hard override.

Like @jvalleva we are going to have to look into patching this module in order to reinstate core functionality that has been altered.