| | 20 | {{{ |
| | 21 | <base_url>/confirm_delete_account.php?userid=<userid>&token=<token> |
| | 22 | }}} |
| | 23 | When they click on the link they will be taken to a page that asks them if they are sure that they want to delete their account. They must re-enter their password and click the button that says "delete account" in order to have there account deleted. The account will be immediately deleted at this point and the user will be redirected to the project's home page. |
| | 24 | |
| | 25 | If the user returns to the request_delete_account.php while they have an active token, the page will ask them to check their email for the email that was sent and then provide them with an option to generate a new email if they cannot find the first one. This will again require the user to enter their password to generate the email. |
| | 26 | |
| | 27 | == Technical Implementation == |
| | 28 | === New Tables === |
| | 29 | token |
| | 30 | |
| | 31 | * token varchar(254) not null pk |
| | 32 | * userid int not null |
| | 33 | * type char not null |
| | 34 | * create_time int not null default unix_timestamp() |
| | 35 | * expire_time int not null |
| | 36 | |
| | 37 | user_deleted |
| | 38 | |
| | 39 | * userid int not null pk |
| | 40 | * public_cross_project_id varchar(254) not null |
| | 41 | * delete_time not null default unix_timestamp() |
| | 42 | |
| | 43 | host_deleted |
| | 44 | |
| | 45 | * hostid int not null pk |
| | 46 | * public_cross_project_id varchar(254) not null |
| | 47 | * delete_time not null default unix_timestamp() |
| | 48 | |
| | 49 | === Token Generation === |
| | 50 | Tokens will be generated from the function inc/util.inc random_string(). However, that function currently relies on functions that are not cryptographically secure. As a result, this function will be replaced with the following implementation: |
| | 51 | |
| | 52 | {{{ |
| | 53 | function random_string() { |
| | 54 | return bin2hex(random_bytes(16)); |
| | 55 | } |
| | 56 | }}} |
| | 57 | A couple of notes about this choice: |
| | 58 | |
| | 59 | * random_bytes is documented here: http://php.net/manual/en/function.random-bytes.php but is a PHP 7 function. |
| | 60 | * for compatibility with older versions of php (5.2 to 5.6) we will include the library at https://github.com/paragonie/random_compat |
| | 61 | |
| | 62 | === Token Usage === |
| | 63 | The token generated by random_string() and included in the email will be stored on the token table and will be set to expire after 24 hours. The token type for this will be "D" for delete. |
| | 64 | |
| | 65 | If the user clicks on the link in the email and the token is invalid or expired, they will be presented with a page that states that the link was invalid and that they need to return to the request_delete_account.php and request a new link. |
| | 66 | |
| | 67 | === Data Exports === |
| | 68 | BOINC provides a mechanism for the mass export of data (db_dump). GDPR requires that this mechanism also provide notification to consumers of that data that accounts have been deleted. |
| | 69 | |
| | 70 | The current format of the data for users looks like (user.xml): |
| | 71 | |
| | 72 | |
| | 73 | {{{ |
| | 74 | <user> |
| | 75 | <id>13306</id> |
| | 76 | <name>etest051717a</name> |
| | 77 | <country></country> |
| | 78 | <create_time>1495032737</create_time> |
| | 79 | <total_credit>1218.038168</total_credit> |
| | 80 | <expavg_credit>0.088678</expavg_credit> |
| | 81 | <expavg_time>1504635602.002442</expavg_time> |
| | 82 | <cpid>0213f2f995c5a3fd86aec4b79b08a05d</cpid> |
| | 83 | <teamid>118</teamid> |
| | 84 | </user> |
| | 85 | <user> |
| | 86 | <id>13384</id> |
| | 87 | <name>etest062917a</name> |
| | 88 | <country></country> |
| | 89 | <create_time>1498749567</create_time> |
| | 90 | <total_credit>6740.232830</total_credit> |
| | 91 | <expavg_credit>0.096624</expavg_credit> |
| | 92 | <expavg_time>1506990001.965522</expavg_time> |
| | 93 | <cpid>a09031094836310f043f0ff8bcfca355</cpid> |
| | 94 | </user> |
| | 95 | }}} |
| | 96 | |
| | 97 | We are proposing this is changed to |
| | 98 | |
| | 99 | {{{ |
| | 100 | <user> |
| | 101 | <id>13306</id> |
| | 102 | <name>etest051717a</name> |
| | 103 | <country></country> |
| | 104 | <create_time>1495032737</create_time> |
| | 105 | <total_credit>1218.038168</total_credit> |
| | 106 | <expavg_credit>0.088678</expavg_credit> |
| | 107 | <expavg_time>1504635602.002442</expavg_time> |
| | 108 | <cpid>0213f2f995c5a3fd86aec4b79b08a05d</cpid> |
| | 109 | <teamid>118</teamid> |
| | 110 | </user> |
| | 111 | <user> |
| | 112 | <id>13384</id> |
| | 113 | <cpid>a09031094836310f043f0ff8bcfca355</cpid> |
| | 114 | <deleted/> |
| | 115 | </user> |
| | 116 | }}} |
| | 117 | |
| | 118 | The deleted tag being used to signify those records that must be deleted from the downstream system. The db_dump utility would first export records from the user table and then export records from the user_deleted table to generate these records. |
| | 119 | |
| | 120 | The host.xml will be changed similarly so that a record for a host that has been deleted would look like: |
| | 121 | |
| | 122 | {{{ |
| | 123 | <host> |
| | 124 | <id>884</id> |
| | 125 | <host_cpid>36e9d265f8fe553bedbbef1cd21a6182</host_cpid> |
| | 126 | <deleted/> |
| | 127 | </host> |
| | 128 | }}} |
| | 129 | |
| | 130 | This portion of db_dump would pull from host and then from host_deleted to collect the data. |
| | 131 | |
| | 132 | === delete_account.php === |
| | 133 | The delete of the account is final and is not recoverable in anyway. On the confirm_delete_account.php page, then token should be included as a hidden field. The delete_account.php page that receives the request should validate both the users password and the users token before allowing the delete to proceed. Only if both are valid should this occur. |
| | 134 | |
| | 135 | The delete will consist of the following actions: |
| | 136 | * An entry will be inserted into the user_deleted table |
| | 137 | * An entry will be inserted into the host_deleted table for each host record the user has |
| | 138 | * All entries for the user will be deleted from the following tables: |
| | 139 | * badge_user |
| | 140 | * banishment_vote |
| | 141 | * credit_user |
| | 142 | * credited_job |
| | 143 | * donation_paypal |
| | 144 | * forum_logging |
| | 145 | * forum_preferences |
| | 146 | * friend (where either user_src or user_dest equals the deleted userid) |
| | 147 | * host_app_version (for each host the user owns) |
| | 148 | * msg_from_host (for each host the user owns) |
| | 149 | * msg_to_host (for each host the user owns) |
| | 150 | * host |
| | 151 | * notify |
| | 152 | * post_ratings (for each post the user created) |
| | 153 | * post_ratings (for each post the user rated) |
| | 154 | * post (for each post made by the user, find any posts that has that as a parent and set parent_post_id to null) |
| | 155 | * post (remove posts made by the user) |
| | 156 | * private_messages |
| | 157 | * sent_email |
| | 158 | * subscriptions |
| | 159 | * team_admin |
| | 160 | * team_delta |
| | 161 | * user |
| | 162 | * Problematic Tables |
| | 163 | * team (when user_id is for the user, how to remove since field is not null) |
| | 164 | * Note that rows in the following are not deleted because these will be deleted in due course and are necessary for technical operation of the system: |
| | 165 | * result |
| | 166 | * Questions. |
| | 167 | * thread – do we need to remove thread? |
| | 168 | * user_submit |
| | 169 | * user_submit_app |
| | 170 | |
| | 171 | === Final Removal |
| | 172 | A script that runs once a day will be developed that removes entries from the user_deleted and host_deleted tables when create_time indicates that they are over 60 days old. This provide sufficient time for consumers of the data export to receive notification of the deletion and to remove the data from their system. |
