pinax, close and remove account.
19 views
Skip to first unread message
tristan
Feb 26, 2009, 5:16:11 AM2/26/09
to Pinax Users
Hi,
Can anyone think of a smart way to write, or implement a simple "close
my account" function within Pinax? I'm quite new to Pinax and Django,
but these would seem to be a useful addition for privacy reasons.
Can anyone think of a smart way to write, or implement a simple "close
my account" function within Pinax? I'm quite new to Pinax and Django,
but these would seem to be a useful addition for privacy reasons.
tristan
Mar 2, 2009, 12:09:36 PM3/2/09
to Pinax Users
If not, does anyone know what I would need to do to kill an account,
what fields would need to be removed?
what fields would need to be removed?
Luigi Panzeri
Mar 2, 2009, 12:25:42 PM3/2/09
to pinax...@googlegroups.com
Could you just set the is_active field to false and use the suitable queries?
afaik You can't delete the Profile object as other objects may depends on (feeds, uploaded content, comments, blogs, friendship, membership and so on).
imho, If you want to destroy all the content provided by the user you have to provide a custom deep deletion method that recursively delete all the data that belongs to the user.
afaik You can't delete the Profile object as other objects may depends on (feeds, uploaded content, comments, blogs, friendship, membership and so on).
imho, If you want to destroy all the content provided by the user you have to provide a custom deep deletion method that recursively delete all the data that belongs to the user.
tristan
Mar 12, 2009, 12:35:01 PM3/12/09
to Pinax Users
So is there no simple way for a user to close their account, and
remove their profile?
remove their profile?
Daniel Greenfeld
Mar 12, 2009, 12:48:00 PM3/12/09
to pinax...@googlegroups.com
On Thu, Mar 12, 2009 at 12:35 PM, tristan <tristanb...@gmail.com> wrote:
So is there no simple way for a user to close their account, and
remove their profile?
Currently there is no way in Pinax to do things simply. One could say that Pinax currently takes the Facebook method of removing user data - it doesn't.
However, IMHO, this is a requirement that needs to be answered in Pinax. Government agencies will need this to say the least. Would you mind opening an issue on the Pinax issue list here? http://code.google.com/p/django-hotclub/issues/list
If not, let me know and I will do it.
Danny
On Mar 2, 10:25 am, Luigi Panzeri <defma...@gmail.com> wrote:
> Could you just set the is_active field to false and use the suitable
> queries?
>
> afaik You can't delete the Profile object as other objects may depends on
> (feeds, uploaded content, comments, blogs, friendship, membership and so
> on).
>
> imho, If you want to destroy all the content provided by the user you have
> to provide a custom deep deletion method that recursively delete all the
> data that belongs to the user.
--
'Knowledge is Power'
Daniel Greenfeld
http://pydanny.blogspot.com
http://dannygreenfeld.blogspot.com
tristan
Mar 12, 2009, 12:48:16 PM3/12/09
to Pinax Users
I've looked into this, as I was hoping to just be able to copy the
admin delete functionality. It didn't work, even if I delete the
profile object, their name still appears if you browse profiles, and
errors if you click on it.
Bit stuck here, has anyone got a smart idea to solve what seems to be
a fairly common concern of remove all a users data?
Really appreciate your thoughts.
T
admin delete functionality. It didn't work, even if I delete the
profile object, their name still appears if you browse profiles, and
errors if you click on it.
Bit stuck here, has anyone got a smart idea to solve what seems to be
a fairly common concern of remove all a users data?
Really appreciate your thoughts.
T
tristan
Mar 12, 2009, 12:55:24 PM3/12/09
to Pinax Users
Ok,
I've found if I login to the admin section, then go to Auth not
Account, and delete the user, all the objects related to that user are
removed.
So now I just need to find a way of exposing that logic to the user so
they can do it themselves.
Any tips on how best to do this welcome!
T
I've found if I login to the admin section, then go to Auth not
Account, and delete the user, all the objects related to that user are
removed.
So now I just need to find a way of exposing that logic to the user so
they can do it themselves.
Any tips on how best to do this welcome!
T
Adam Nelson
Mar 12, 2009, 1:13:57 PM3/12/09
to pinax...@googlegroups.com
If you make the ticket, I think there should be two methods:
1. Delete the user object and all dependent objects (this should happen automagically with generic foreign keys: http://docs.djangoproject.com/en/dev/ref/contrib/contenttypes/#reverse-generic-relations)
2. Define a subset of account fields that are PII (Personally Identifiable Information - http://en.wikipedia.org/wiki/Personally_identifiable_information). There should be a method to purge PII from any given user object without having to delete the object itself or any dependent objects.--
Adam Nelson
http://www.varud.com
http://twitter.com/varud
http://www.linkedin.com/in/adamcnelson
1. Delete the user object and all dependent objects (this should happen automagically with generic foreign keys: http://docs.djangoproject.com/en/dev/ref/contrib/contenttypes/#reverse-generic-relations)
2. Define a subset of account fields that are PII (Personally Identifiable Information - http://en.wikipedia.org/wiki/Personally_identifiable_information). There should be a method to purge PII from any given user object without having to delete the object itself or any dependent objects.
Adam Nelson
http://www.varud.com
http://twitter.com/varud
http://www.linkedin.com/in/adamcnelson
Adam Nelson
Mar 12, 2009, 1:22:01 PM3/12/09
to pinax...@googlegroups.com
Tristan,
I believe if you do something like:
User.objects.get(pk=1).delete()
All dependent objects will be deleted (certainly that user will be deleted). Keep in mind though that this doesn't take into account real world logic - so if that user created a wiki page, that page could be deleted as well.
Only use that type of thing if it's really well tested - otherwise you'll want to clear the PII for the user (see previous email) and keep the user itself in existence.
I believe if you do something like:
User.objects.get(pk=1).delete()
All dependent objects will be deleted (certainly that user will be deleted). Keep in mind though that this doesn't take into account real world logic - so if that user created a wiki page, that page could be deleted as well.
Only use that type of thing if it's really well tested - otherwise you'll want to clear the PII for the user (see previous email) and keep the user itself in existence.
tristan
Mar 12, 2009, 1:22:55 PM3/12/09
to Pinax Users
I created an issue: http://code.google.com/p/django-hotclub/issues/detail?id=196
Adam, I'll read up on those links, but do you by chance no exactly
what the django auth app in the admin section does when you delete a
user? Because it has the exact functionality needed, it delete all the
data, and works great. Trouble is I don't know how to copy the logic
it is calling, because I can't find it..
On Mar 12, 10:13 am, Adam Nelson <a...@varud.com> wrote:
> If you make the ticket, I think there should be two methods:
>
> 1. Delete the user object and all dependent objects (this should happen
> automagically with generic foreign keys:http://docs.djangoproject.com/en/dev/ref/contrib/contenttypes/#revers...
> )
Adam, I'll read up on those links, but do you by chance no exactly
what the django auth app in the admin section does when you delete a
user? Because it has the exact functionality needed, it delete all the
data, and works great. Trouble is I don't know how to copy the logic
it is calling, because I can't find it..
On Mar 12, 10:13 am, Adam Nelson <a...@varud.com> wrote:
> If you make the ticket, I think there should be two methods:
>
> 1. Delete the user object and all dependent objects (this should happen
> )
> 2. Define a subset of account fields that are PII (Personally Identifiable
> Information -http://en.wikipedia.org/wiki/Personally_identifiable_information). There
> should be a method to purge PII from any given user object without having to
> delete the object itself or any dependent objects.
>
> On Thu, Mar 12, 2009 at 12:48 PM, Daniel Greenfeld <pyda...@gmail.com>wrote:
> delete the object itself or any dependent objects.
>
tristan
Mar 12, 2009, 1:27:39 PM3/12/09
to Pinax Users
Hi Adam,
Thanks so much for the pointer, you beat me to it and responded before
I saw the reply.
So acatually, if: User.objects.get(pk=1).delete() really does delete
everything that is associated with that user, thats just fine for me.
I'm going to have the applicable warnings, but I want to allow them to
be able to remove everything.
I'm very new to Django / python / pinax, so it will take me a fair bit
of research to find out how to implement that into a simple view that
a user can call from the settings page to delete their details, but if
it helps anyone, and I manage to do it I'm very happy to post the code
here when i finally hack it out!
> >http://www.varud.comhttp://twitter.com/varudhttp://www.linkedin.com/i...
Thanks so much for the pointer, you beat me to it and responded before
I saw the reply.
So acatually, if: User.objects.get(pk=1).delete() really does delete
everything that is associated with that user, thats just fine for me.
I'm going to have the applicable warnings, but I want to allow them to
be able to remove everything.
I'm very new to Django / python / pinax, so it will take me a fair bit
of research to find out how to implement that into a simple view that
a user can call from the settings page to delete their details, but if
it helps anyone, and I manage to do it I'm very happy to post the code
here when i finally hack it out!
Adam Nelson
Mar 12, 2009, 1:34:01 PM3/12/09
to pinax...@googlegroups.com
Tristan,
I don't know much about users/accounts. Noneheless, Pinax derives it's user from the Django.contrib:
Look at this file:
pinax/apps/account/models.py:
This line imports the User model from django.contrib:
from django.contrib.auth.models import User, AnonymousUser
These lines define the Account object:
class Account(models.Model):
user = models.ForeignKey(User, unique=True, verbose_name=_('user'))
The models.ForeignKey() part is what's important. If you do the User.objects.get(pk=1),delete() method I sent before (to delete the User whose primary key is 1), all models in the rest of the project that have a foreign key to that specific user will also delete those objects. So, in this case, the deletion of the user, also deletes that user's account record.
You'll notice the ForeignKey to the User object frequently - all those models will automatically delete any records where that ForeignKey matches the primary key which was deleted through User.objects.get(pk=1),delete()
Don't take my word on this though - I'm not a Django ForeignKey expert yet - and I'm not entirely convinced that this would work if for some reason you were on a database without referential integrity (MyISAM or something).
I don't know much about users/accounts. Noneheless, Pinax derives it's user from the Django.contrib:
Look at this file:
pinax/apps/account/models.py:
This line imports the User model from django.contrib:
from django.contrib.auth.models import User, AnonymousUser
These lines define the Account object:
class Account(models.Model):
user = models.ForeignKey(User, unique=True, verbose_name=_('user'))
The models.ForeignKey() part is what's important. If you do the User.objects.get(pk=1),delete() method I sent before (to delete the User whose primary key is 1), all models in the rest of the project that have a foreign key to that specific user will also delete those objects. So, in this case, the deletion of the user, also deletes that user's account record.
You'll notice the ForeignKey to the User object frequently - all those models will automatically delete any records where that ForeignKey matches the primary key which was deleted through User.objects.get(pk=1),delete()
Don't take my word on this though - I'm not a Django ForeignKey expert yet - and I'm not entirely convinced that this would work if for some reason you were on a database without referential integrity (MyISAM or something).
tristan
Mar 19, 2009, 4:47:47 PM3/19/09
to Pinax Users
I've done more research on this, and according the Django
documentation, the _correct_ thing to do, would be set the user as
inactive.
As a test I deactivated a user in the Django admin. The trouble herin
lies in that Pinax apps (basic_profile) and the browse profile views
etc, do not check or respect the active / inactive field. Which is a
shame...
On Mar 12, 10:34 am, Adam Nelson <a...@varud.com> wrote:
> Tristan,
>
> I don't know much about users/accounts. Noneheless, Pinax derives it's user
> from the Django.contrib:
>
> Look at this file:
> pinax/apps/account/models.py:
>
> This line imports the User model from django.contrib:
> from django.contrib.auth.models import User, AnonymousUser
>
> These lines define the Account object:
> class Account(models.Model):
> user = models.ForeignKey(User, unique=True, verbose_name=_('user'))
>
> The models.ForeignKey() part is what's important. If you do the
> User.objects.get(pk=1),delete() method I sent before (to delete the User
> whose primary key is 1), all models in the rest of the project that have a
> foreign key to that specific user will also delete those objects. So, in
> this case, the deletion of the user, also deletes that user's account
> record.
>
> You'll notice the ForeignKey to the User object frequently - all those
> models will automatically delete any records where that ForeignKey matches
> the primary key which was deleted through User.objects.get(pk=1),delete()
>
> Don't take my word on this though - I'm not a Django ForeignKey expert yet -
> and I'm not entirely convinced that this would work if for some reason you
> were on a database without referential integrity (MyISAM or something).
>
documentation, the _correct_ thing to do, would be set the user as
inactive.
As a test I deactivated a user in the Django admin. The trouble herin
lies in that Pinax apps (basic_profile) and the browse profile views
etc, do not check or respect the active / inactive field. Which is a
shame...
On Mar 12, 10:34 am, Adam Nelson <a...@varud.com> wrote:
> Tristan,
>
> I don't know much about users/accounts. Noneheless, Pinax derives it's user
> from the Django.contrib:
>
> Look at this file:
> pinax/apps/account/models.py:
>
> This line imports the User model from django.contrib:
> from django.contrib.auth.models import User, AnonymousUser
>
> These lines define the Account object:
> class Account(models.Model):
> user = models.ForeignKey(User, unique=True, verbose_name=_('user'))
>
> The models.ForeignKey() part is what's important. If you do the
> User.objects.get(pk=1),delete() method I sent before (to delete the User
> whose primary key is 1), all models in the rest of the project that have a
> foreign key to that specific user will also delete those objects. So, in
> this case, the deletion of the user, also deletes that user's account
> record.
>
> You'll notice the ForeignKey to the User object frequently - all those
> models will automatically delete any records where that ForeignKey matches
> the primary key which was deleted through User.objects.get(pk=1),delete()
>
> Don't take my word on this though - I'm not a Django ForeignKey expert yet -
> and I'm not entirely convinced that this would work if for some reason you
> were on a database without referential integrity (MyISAM or something).
>
James Tauber
Mar 19, 2009, 5:01:46 PM3/19/09
to pinax...@googlegroups.com
On Mar 19, 2009, at 4:47 PM, tristan wrote:
>
> I've done more research on this, and according the Django
> documentation, the _correct_ thing to do, would be set the user as
> inactive.
> As a test I deactivated a user in the Django admin. The trouble herin
> lies in that Pinax apps (basic_profile) and the browse profile views
> etc, do not check or respect the active / inactive field. Which is a
> shame...
There's more to it than that. What do you do with content the user
created? What if user B comments on a thread started by user A -- if
you deactivate user A, does user B's comment get deleted too?
James
Adam Nelson
Mar 19, 2009, 5:03:27 PM3/19/09
to pinax...@googlegroups.com
Good work. That's what I would have presumed. Deleting such core level objects as users is dangerous even if everything is set up beautifully.
Now all that's needed is a proper PII (Personally Identifiable Information) delete method that extends the User class and can be used to manage the purging of that kind of data in a consistent way.
Ideally that would be in some future Django release (2.0?), but for now it could probably just be some sort of extra method in the misc app or something?
Adam Nelson
Mar 19, 2009, 5:05:35 PM3/19/09
to pinax...@googlegroups.com
Yeah, that was the thrust of my earlier email. If you really delete the specific user, and things are keyed correctly, all the wiki pages, etc.. that were made by that user would be deleted.
That is the 'correct' behavior for the delete but it's probably never a smart idea.
I think it's never advisable to delete a user, in any system. Just purging the PII from the user is the best solution.
tristan
Mar 19, 2009, 5:08:24 PM3/19/09
to Pinax Users
Thanks guys...
So to anyone else wanting to do this, I resolved by adding the
following into the Pinax apps. (i think it would be a good addition to
them)
In the two views in basic_profile that show a users profile and let
your browse profiles I added the following code first to check if the
user is active.
if not other_user.is_active:
raise Http404
Hope this helps anyone else, and again, thanks all of you for help and
pointers.
So to anyone else wanting to do this, I resolved by adding the
following into the Pinax apps. (i think it would be a good addition to
them)
In the two views in basic_profile that show a users profile and let
your browse profiles I added the following code first to check if the
user is active.
if not other_user.is_active:
raise Http404
Hope this helps anyone else, and again, thanks all of you for help and
pointers.
tristan
Mar 19, 2009, 5:09:21 PM3/19/09
to Pinax Users
Oh slight lie, the code I added to change the list view of profiles is
as follows: (slightly different).
return render_to_response(template_name, {
"users": User.objects.filter(is_active=True).order_by("-
date_joined"),
On Mar 19, 2:08 pm, tristan <tristanbrother...@gmail.com> wrote:
> Thanks guys...
>
> So to anyone else wanting to do this, I resolved by adding the
> following into the Pinax apps. (i think it would be a good addition to
> them)
> In the two views in basic_profile that show a users profile and let
> your browse profiles I added the following code first to check if the
> user is active.
>
> if not other_user.is_active:
> raise Http404
>
> Hope this helps anyone else, and again, thanks all of you for help and
> pointers.
>
> On Mar 19, 2:05 pm, Adam Nelson <a...@varud.com> wrote:
>
>
>
> > Yeah, that was the thrust of my earlier email. If you reallydeletethe
> > specific user, and things are keyed correctly, all the wiki pages, etc..
> > that were made by that user would be deleted.
> > That is the 'correct' behavior for thedeletebut it's probably never a
> > smart idea.
>
> > I think it's never advisable todeletea user, in any system. Just purging
as follows: (slightly different).
return render_to_response(template_name, {
"users": User.objects.filter(is_active=True).order_by("-
date_joined"),
On Mar 19, 2:08 pm, tristan <tristanbrother...@gmail.com> wrote:
> Thanks guys...
>
> So to anyone else wanting to do this, I resolved by adding the
> following into the Pinax apps. (i think it would be a good addition to
> them)
> In the two views in basic_profile that show a users profile and let
> your browse profiles I added the following code first to check if the
> user is active.
>
> if not other_user.is_active:
> raise Http404
>
> Hope this helps anyone else, and again, thanks all of you for help and
> pointers.
>
> On Mar 19, 2:05 pm, Adam Nelson <a...@varud.com> wrote:
>
>
>
> > Yeah, that was the thrust of my earlier email. If you reallydeletethe
> > specific user, and things are keyed correctly, all the wiki pages, etc..
> > that were made by that user would be deleted.
> > smart idea.
>
> > I think it's never advisable todeletea user, in any system. Just purging
Daniel Greenfeld
Mar 19, 2009, 6:57:10 PM3/19/09
to pinax...@googlegroups.com
Nice thoughts guys. I think the original Profiles system in Pinax needs some refactoring love and care. Everyone ends up forking it anyway. It should be more adaptable and capable of supporting the inactivation/deletion of users.
And yes, I mean the deletion of users. In the world of Federal governments, when users are removed, the person's records have to be completely removed from those systems. So for Pinax to get wider adoption, we'll need to be able to do both inactivating of users and their content, as well as safe deletions.
I'm hoping to talk this out with Tauber and Rosner at Pycon next week. :)
Danny
And yes, I mean the deletion of users. In the world of Federal governments, when users are removed, the person's records have to be completely removed from those systems. So for Pinax to get wider adoption, we'll need to be able to do both inactivating of users and their content, as well as safe deletions.
I'm hoping to talk this out with Tauber and Rosner at Pycon next week. :)
Danny
Reply all
Reply to author
Forward
0 new messages