WordPress.org

Make WordPress Core

Opened 17 months ago

Last modified 14 months ago

#43880 assigned enhancement

Add functionality to add an anonymous user an get its ID for anonymization of data related to a WordPress user.

Reported by: TZ Media Owned by: tz-media
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Privacy Keywords: has-patch, needs-testing, needs-unit-tests, 2nd-opinion
Focuses: Cc:

Description

When we need to anonymize data that is (or can be) associated with a WordPress user, we anonymize it by changing the user ID of that data to a user that represents anonymized content. But currently no such user exists, so we set the ID to 0.

In order to display an actual user name (at least for posts), we would need an actual user 'Anonymous' that we can re-assign the content to.

This might be created on WordPress install by default (maybe even with a User ID of 0 that we can then hardcode into the anonymized functions), or by calling a function like _wp_privacy_get_anonymous_user_id() that creates the user if not already created and returns the user ID (that might be stored in a site_option).

Attachments (4)

43880.patch (1.9 KB) - added by TZ Media 17 months ago.
Helper function to generate an anonymous user and get its ID.
43880.1.patch (2.0 KB) - added by TZ Media 17 months ago.
Checks if cached user id actually exists instead of returning it blindly.
43880.2.diff (2.0 KB) - added by lbenicio 16 months ago.
added unit tests to path 43880
43880.3.diff (544 bytes) - added by lbenicio 16 months ago.
move unit test to the correct place

Download all attachments as: .zip

Change History (17)

@TZ Media
17 months ago

Helper function to generate an anonymous user and get its ID.

#1 @TZ Media
17 months ago

  • Keywords has-patch needs-testing needs-unit-tests 2nd-opinion added; needs-patch removed
  • Adds a helper function _wp_privacy_get_anonymous_user_id() that generates an anonymous user if none exists and return its ID.
    • Returns 0 if no user could be created.
  • Adds a type of user_id to the existing wp_privacy_anonymize_data() helper function to allow easy anonymization of a user ID.

Questions: How can we prevent logins and wp_admin access by that user by all means? I've set the password to null and the role to the non-existing role anonymous_user, but I hope there's a more elegant way to achieve this.

#2 @desrosj
17 months ago

  • Milestone changed from Awaiting Review to 4.9.6
  • Owner set to tz-media
  • Status changed from new to assigned

@TZ Media
17 months ago

Checks if cached user id actually exists instead of returning it blindly.

#3 @TZ Media
17 months ago

Thinking of that... if we create a new user, because something went wrong with the old one (deleted by admin or whatever), should we reassign all posts/comments etc. to the newly created user automatically? And if so, should we do this inside the function itself, or schedule an event that reassigns them?

#4 @TZ Media
17 months ago

Note: This extends #43545, so that patch needs to be backported before this can be back ported to 4.9.6.

#5 @desrosj
17 months ago

  • Milestone changed from 4.9.6 to 4.9.7

#6 @desrosj
17 months ago

  • Milestone changed from 4.9.7 to 4.9.6

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


17 months ago

#8 @allendav
17 months ago

Cool idea. If we create a user automagically, we should carefully consider roles/capabilities for the user, whether they should ever be able to log in (probably not), etc.

Maybe .7 to allow time for us to think this through?

#9 @desrosj
17 months ago

  • Milestone changed from 4.9.6 to 4.9.7

@lbenicio
16 months ago

added unit tests to path 43880

#10 @desrosj
16 months ago

  • Milestone changed from 4.9.7 to Future Release

Moving gdpr tickets that are not bugs to Future Release until the next steps can be properly evaluated.

#11 @desrosj
16 months ago

  • Component changed from General to Privacy

Moving to the new Privacy component.

@lbenicio
16 months ago

move unit test to the correct place

#12 @dejliglama
15 months ago

Instead of moving data to a fake user "anonymous" - why not use the anonymizing functions on what ever user we anonymize, and instead change the ROLE of the user to anonymous.

So what IS new in the system, is a role that has no rights what so ever.

Doing it like this, you keep any data integrity between posts, and other data, since you don't move things arround.

#13 @desrosj
14 months ago

  • Keywords gdpr removed

Removing the GDPR keyword. This has been replaced by the new Privacy component and privacy focuses in Trac.

Note: See TracTickets for help on using tickets.