WordPress.org

Make WordPress Core

Opened 3 weeks ago

Last modified 3 weeks ago

#44261 new enhancement

Export User Data includes media URLs, not the actual media files in zip file

Reported by: subrataemfluence Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: trunk
Component: Privacy Keywords: 2nd-opinion gdpr
Focuses: privacy Cc:

Description

Use of media URLs rather than the media files in original in Exported User Data zip file is probably to keep the file small in size so that it could be transferred quickly.

But what if admin or any user with the same level of privilege can delete one of more media files of the user requesting a personal data export accidentally after the Export is initiated and is emailed / downloaded.

Do we already have a guard or option to deal with such a situation? Is this possible to include the physical media files in the zip or at least create a separate area where these files would be backed up and reference URLs point to this location?

We can warn user (in the same email with the download link) to download the file say within next 72 hours otherwise the download link would expire. In the background after the stipulated time period the backup would be erased automatically. A new request needs to be initiated if this happens.

This will make sure that the server space is not being overused for a longer period of time.

How far you see the possibility of accidental deletion and user ends up with broken media link(s)? Do you think this could be a probable solution to avoid such a situation?

Change History (4)

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


3 weeks ago

#3 follow-up: @allendav
3 weeks ago

I worry about large attachments making the ZIPs ridiculous, so if we did something like this, let's consider having settings or at least filters controlling the maximum size attachment that can be added and also controlling the maximum size export ZIP we are willing to create.

#4 in reply to: ↑ 3 @subrataemfluence
3 weeks ago

You are right! That's the reason I proposed an alternative way that will create a separate backup on the server and the URLs in index.html will point to this location only. Everything in this file remain the same only except the file location will be different than we have now. This will definitely prevent us from sending large attachments! In fact, we don't have to worry about sending any additional attachment except the one (index.html) WordPress is sending now.

Also since the backup will be kept for only a stipulated period and will be erased after that, server space will not get overused for long time. Users will be notified about the time frame he has to download before it gets removed physically from the server for ever.

Does this make any sense?

Replying to allendav:

I worry about large attachments making the ZIPs ridiculous, so if we did something like this, let's consider having settings or at least filters controlling the maximum size attachment that can be added and also controlling the maximum size export ZIP we are willing to create.

Last edited 3 weeks ago by subrataemfluence (previous) (diff)
Note: See TracTickets for help on using tickets.