pkp / pkp-lib

The library used by PKP's applications OJS, OMP and OPS, open source software for scholarly publishing.
https://pkp.sfu.ca
GNU General Public License v3.0
306 stars 445 forks source link

Auto-prune user accounts after a period of inactivity #3577

Closed jmacgreg closed 2 years ago

jmacgreg commented 6 years ago

Auto-prune inactive user accounts after a period of inactivity. The journal should be able to specify the period of inactivity, and the account into which the user should be merged. For example: if the journal enables this option, and sets the period of inactivity to 1 year, any user that hasn't logged in for 1 year should be merged into an admin account.

This should be an option for journals, set by default to "off", and similar to the auto-pruning of registered but not verified accounts (see "require_validation" and "validation_timeout" in config.inc.php).

asmecher commented 6 years ago

I can think of other useful conditions that would need to be met: they should have no submissions assigned, no discussions/notes, no review assignments, etc. -- basically no participation anywhere in the workflow.

Is the goal to help clean up spam registrations? Are we getting spam registrations en masse with the current releases of OJS, or is this an archaeological dig?

I'd be tempted to put something as drastic as mass user deletion in a plugin or external tool, rather than shipping it with the codebase.

[edit: I see this is related to GDPR. That answers the "why".]

alexxxmendonca commented 6 years ago

I agree that this is a good idea, but I also agree with Alec that it makes sense only if the user has no historical data. Because if they do have some historical data, that data would be added to the Admin's own historical data.

So in my view it would have be something like an auto-prune for completely inactive accounts.

ajnyga commented 6 years ago

Is auto-prune really needed for filling the "right to be forgotten" demand? I have understood that the users have a) permission to see what data is stored about them and b) ask for it to be removed. I have not seen a demand for automatic removal, but is there another GDPR principle that applies here? (edit: ok so maybe articles 32 and/or 22).

Also I think that the "right to be forgotten" does have limitations. Most notably "Individuals have the right to have their personal data erased if: the personal data is no longer necessary for the purpose which you originally collected or processed it for;". I guess you could argue that the user data in OJS is needed for the editorial archives also after publishing the article. At least the name of the user. Emails, affiliations, passwords etc. are a different story maybe.

See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

NateWr commented 2 years ago

Closing this for lack of interest.