WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#43880 assigned enhancement

Add functionality to add an anonymous user an get its ID for anonymization of data related to a WordPress user.

Reported by: TZ Media Owned by: tz-media
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Privacy Keywords: has-patch, needs-testing, needs-unit-tests, 2nd-opinion
Focuses: Cc:

Description

When we need to anonymize data that is (or can be) associated with a WordPress user, we anonymize it by changing the user ID of that data to a user that represents anonymized content. But currently no such user exists, so we set the ID to 0.

In order to display an actual user name (at least for posts), we would need an actual user 'Anonymous' that we can re-assign the content to.

This might be created on WordPress install by default (maybe even with a User ID of 0 that we can then hardcode into the anonymized functions), or by calling a function like _wp_privacy_get_anonymous_user_id() that creates the user if not already created and returns the user ID (that might be stored in a site_option).

Attachments (4)

43880.patch (1.9 KB) - added by TZ Media 2 years ago.
Helper function to generate an anonymous user and get its ID.
43880.1.patch (2.0 KB) - added by TZ Media 2 years ago.
Checks if cached user id actually exists instead of returning it blindly.
43880.2.diff (2.0 KB) - added by lbenicio 2 years ago.
added unit tests to path 43880
43880.3.diff (544 bytes) - added by lbenicio 2 years ago.
move unit test to the correct place

Download all attachments as: .zip

Change History (17)

@TZ Media
2 years ago

Helper function to generate an anonymous user and get its ID.

#1 @TZ Media
2 years ago

  • Keywords has-patch needs-testing needs-unit-tests 2nd-opinion added; needs-patch removed
  • Adds a helper function _wp_privacy_get_anonymous_user_id() that generates an anonymous user if none exists and return its ID.
    • Returns 0 if no user could be created.
  • Adds a type of user_id to the existing wp_privacy_anonymize_data() helper function to allow easy anonymization of a user ID.

Questions: How can we prevent logins and wp_admin access by that user by all means? I've set the password to null and the role to the non-existing role anonymous_user, but I hope there's a more elegant way to achieve this.

#2 @desrosj
2 years ago

  • Milestone changed from Awaiting Review to 4.9.6
  • Owner set to tz-media
  • Status changed from new to assigned

@TZ Media
2 years ago

Checks if cached user id actually exists instead of returning it blindly.

#3 @TZ Media
2 years ago

Thinking of that... if we create a new user, because something went wrong with the old one (deleted by admin or whatever), should we reassign all posts/comments etc. to the newly created user automatically? And if so, should we do this inside the function itself, or schedule an event that reassigns them?

#4 @TZ Media
2 years ago

Note: This extends #43545, so that patch needs to be backported before this can be back ported to 4.9.6.

#5 @desrosj
2 years ago

  • Milestone changed from 4.9.6 to 4.9.7

#6 @desrosj
2 years ago

  • Milestone changed from 4.9.7 to 4.9.6

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


2 years ago

#8 @allendav
2 years ago

Cool idea. If we create a user automagically, we should carefully consider roles/capabilities for the user, whether they should ever be able to log in (probably not), etc.

Maybe .7 to allow time for us to think this through?

#9 @desrosj
2 years ago

  • Milestone changed from 4.9.6 to 4.9.7

@lbenicio
2 years ago

added unit tests to path 43880

#10 @desrosj
2 years ago

  • Milestone changed from 4.9.7 to Future Release

Moving gdpr tickets that are not bugs to Future Release until the next steps can be properly evaluated.

#11 @desrosj
2 years ago

  • Component changed from General to Privacy

Moving to the new Privacy component.

@lbenicio
2 years ago

move unit test to the correct place

#12 @dejliglama
2 years ago

Instead of moving data to a fake user "anonymous" - why not use the anonymizing functions on what ever user we anonymize, and instead change the ROLE of the user to anonymous.

So what IS new in the system, is a role that has no rights what so ever.

Doing it like this, you keep any data integrity between posts, and other data, since you don't move things arround.

#13 @desrosj
2 years ago

  • Keywords gdpr removed

Removing the GDPR keyword. This has been replaced by the new Privacy component and privacy focuses in Trac.

Note: See TracTickets for help on using tickets.