-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Documentation for how to delete a user #1707
Comments
I'd like to point out that doing:
Is a bad idea, just as |
the right way to delete a user is to use the deactivate API:
we do not recommend blindly deleting rows from databases, as it could leave things in a very inconsistent state. |
@ara4n How is this implemented in a self hosted version? |
I'd also like to know how to delete users, in layman terms if possible. |
I wan't to delete users in self-hosted environment, like @rorymbyrne |
Matrix really needs a simpler UI/UX for being able to add and delete users. |
searching for the same delete button. a testuser has regged with beginning capital characters, and so it makes problems to interact with him... delete and rereq does not work. because it's already created... gnaahhh and haven't found yet a admin console or interface ... |
@ara4n i found that |
If you want to be able to reuse the userid, you don't want to deactivate: just reset the password. |
https://github.com/vector-im/riot-web/issues/4125 concerns this |
I tried to delete an account, but received
How can i delete the account? |
@rajil this might help, from the admin api docs:
|
@cavebeat @slipeer
PS: |
Okay, I've created a script for now to deactive an account: https://gist.github.com/rgpublic/8457d98b0fcc0c54893b9907f9b8b825 Nevertheless it just sucks with at least a 3x factor: Suck element-hq/element-web#1: No decent UI |
Hm. With my script, there's one user I cannot delete. I always get "Failed to remove threepid from ID server". Is there anyone who knows what this might mean? Argh, it's a nightmare. I wonder how companies with more employees than us handle this. People sometimes happen to leave the company and then.... what? One of the really sad points of an otherwise really user-friendly, stable and great chat software. We're very happy with it, but the fact that you can always easily create stuff but you never can remove stuff the same way i.e. via Riot (Rooms, Account) is just terrible IMHO. |
ack! We had ~200 spamming IRC users via the freenode-bridge in a room and kicking them via riot is quite annoying. |
I need a way to delete users definitively from the DB (my use case is that a change in an IRC Bridge configuration left a lot of ghosts users in the DB). |
Great! Is there any way to reactivate users? |
I think the main reason why it is not implemented to really delete a user is that this would make it possible to overtake an old Account of another User that was deleted by Registering again with the same name. So couldn't we add a real deletion only for users that either never said anything or where all the user's messages are already redacted? |
Can a user really not be deleted? If this is the case, Matrix Synapse would not be GDPR compliant, since the "Right to Erasure ("right to be forgotten")" would not be fulfilled upon user request, see e.g. here ... The provider of the homeserver would be obligated to delete all user data manually. Same with respect to changing the matrix user ID, which is visible and cannot be edited after registration. This might not comply to the "Right of access and right to rectification", see https://gdpr-info.eu/art-15-gdpr/ and https://gdpr-info.eu/art-16-gdpr/. A user must be able to access and edit his personal data. |
Aside from laws and regulations which might be subject to change. |
@menturion users are deactivated rather than deleted, for matrix.org, our Privacy Policy (https://matrix.org/docs/guides/privacy_notice.html) describes how we satisfy our GDPR obligations, in particular the Right to Erasure. Admins for other homeservers are of course free to publish their own privacy policy and implement it as they see fit. More generally we agree that having easier to use and more powerful admin tools would be beneficial and it features on our roadmap (https://github.com/orgs/matrix-org/projects/9). The only reason we are not working on it right now is a question of bandwidth. |
@neilisfragile Well, I think this is a bit of a view with rose-tinted glasses on. Fact is, the e-mail address is considered to be "personal data" in regard to the GDPR. Currently, it is stored on the server for an indefinite amount of time with no way to ever remove it. This is IMHO a clear GDPR violation. You can publish policies all you want but that doesn't turn illegal stuff into legal stuff. I can write my own policy that I intent to drive consistently at 100 mph but that doesnt make it legal. What's more, I as an admin of an "other homeserver" would very much like to publish my own privacy policy stating that we delete the account completely. Unfortunately, I cannot realize that policy without decent means to delete anything. What I'm currently planning to do is completely wipe the server once per year and start with a fresh Matrix server. Otherwise I think there is currently not really a decent way to make sure that old stuff is not kept around forever. I have currently a crazy set of helper scripts which fumble around with the DB to delete rooms, accounts etc. But whether they really remove everything I just don't know. This should be clearer and easier. We are using the scheme @company.de for our email addresses. If a new coworker arrived with the same lastname as a previous one, we couldn't create a new account for him/her. With email accounts, for example, this is not a problem at all. Finally, if you look at the recent matrix.org security breach and the fact that encrypted messages are still not the default in Riot I think it makes very much sense to reduce the amount of data stolen if the worst case happens and the server is hacked. It is quite unnecessary when passwords etc. might be at risk even though you don't even use a server anymore. Furthermore, even if Matrix doesn't want people to delete their account properly then IMHO extra care should be given that people are at the very least able to deactivate their account. Even that doesn't work. I have multiple accounts here at our own server where I only get "Failed to remove threepid". I initially created my own account on matrix.org but then realized I'd much prefer to setup our own homeserver. Now, I'm not able to even deactivate my account on matrix.org. I can login. But when I try deactivate it says: "Unknown error". I think the whole situation is simply a mess and really a bad point of an otherwise quite excellent product. |
For clarity, deactivating an account does the following:-
You can verify this for yourself here https://github.com/matrix-org/synapse/blob/master/synapse/handlers/deactivate_account.py#L69 As you might expect we sought specialist legal advice to ensure our policy and implementation are GDPR compliant. However we would like to go further and treat the MXID as an opaque string, this proposal describes our current thinking. matrix-org/matrix-spec-proposals#1228
As an open source project and you are free to modify as you see fit, though you would need to consider carefully how to manage previous interactions that the user participated in.
This paragraph seems orthogonal to your main point on data privacy - there is a just as strong an argument for avoiding the possibility of mistaken identity and many companies do not recycle email for exactly that reason. That said the point will become moot once matrix-org/matrix-spec-proposals#1228 is realised.
This is a bug. It sounds like #5097 (Do you agree?). In any case element-hq/element-web#5097 will be fixed promptly. |
@neilisfragile Thank you for your detailed response. Very interesting read. Yes, I agree element-hq/element-web#5097 sounds like my problem. I have this problem here on our own server as well as with my matrix.org account, so good to know this is being worked on. One question though regarding what's deleted: Two people talk in a private chat with each other. Now, both leave the company and deactivate their account. We assume their conversation is not encrypted. Now, years later, someone hacks the home server and gains access to the data. Will the hacker have access to that conversation? What I gather from your response, I'd say yes. This is my main point: It's very unfortunate because the conversation can of course easily contain personally identifiable data etc. What's currently badly missing IMHO is to have some options for users and/or admins to be able to reduce the attack surface in general. I would like, for example, to clear any messages older than xy days - or even clear all my messages from time to time. Slack, e.g., even has the ability to define a retention policy: https://get.slack.help/hc/en-us/articles/203457187-Customize-message-and-file-retention-policies I think this should be possible for our own home server. After all, I can simply wipe the server anyway and start from scratch. So why is it so difficult to actually remove stuff? |
No they would not, because when the first user is deactivated they are removed from all rooms that they are a part, the conversation persists because the other user is still in the room and that conversation is as much theirs as the deactivated user. When the second user is deactivated, then since there are now no other users who can see the messages the messages are deleted. The relevant quote in the privacy statement is "Any messages or files that were only accessible by your account will be deleted from our servers within 30 days." On your second point there is a big difference between a server having a generic retention period where all users of the server are aware of the policy and then separately, someone unilaterally removing half of a conversation where both parties can lay claim that they share the data. This is why we do not remove shared conversations under GDPR. Generic data retention policies where all content older than X is deleted is something we'd like to do (though harder to see how this would work for federated rooms), and it's only really bandwidth that prevents us doing so. |
Ah. This is extremely(!) useful information. Thanks a lot, @neilisfragile. Wish I had known all that earlier. I'm much more relaxed about the deactivation feature now. I think the (usability) problem is: The UI tells people that they can "deactivate" their account but there is no clear obvious information on what that means. I assumed that "deactivation" just means that. In particular, that you can just reactivate such an account later and you'll find everything (message history etc.) in a state where you left off. As it seems, this is not the case. And I noticed the sentence "Any messages or files that were only accessible by your account..." but I didn't really understand what it meant as usually there are at least two persons who can access the messages. Now I understand it really means: "After all accounts having access to a specific message have been deactivated, the corresponding message itself is deleted from our servers within 30 days. Even if any of those accounts is reactivated later, the messages won't be available" Just one more question: On our own synapse homeserver I use the CURL call: https://localhost:8448/_matrix/client/r0/admin/deactivate/... to deactivate the user. What needs to be done to ensure the deletion after 30 days really takes place? Is there are cron job that needs to be installed on the server or how does it work? |
Deactivation is one-way in Matrix, in theory, a server admin could resurrect an account but this is on the whole unsupported |
@e-lisa Turn user registration off, and create your own invite system (Note that this "addon" has not been maintained but serves as an example of how to solve this problem). Matrix is far from complete and should still be in beta IMHO. |
Hey all, this thread has digressed a bit from the original intention (though its been useful!). I'm going to close this now in favour of other issues, simply to make it easier for us to track what's going on. As always if there isn't already an issue for your problem then please do create one. Relevant issues:
@e-lisa Sorry to hear that! We've started adding some features to help combat that sort of thing, but they're currently quite rough to use and under documented. Please feel free to add any notes to element-hq/element-web#8293 with suggestions that could help. |
Commenting to add to @erikjohnston's list:
|
@Torxed That is not a solution, nor does it have anything to do with my problem. (it does not even address my use-case). Please see element-hq/element-web#1216 if you need more context. Telling users to "write their own sign-up system" has nothing to do with being able to ban an offending IP address. |
@e-lisa You said, and I quote: What I suggested solves that problem. If you had another more intricate use case/problem - feel free to ignore the advice. But as other users might end up here searching for the same issue it's important to share solutions to those problems. So saying that, and I quote again, Again, your issue is actually issues - and there's not one fix for them. |
Hi we have an LDAP system where users can be activated and deactivated, is there a way to reactivate an account even if the history is lost for that user? |
https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#id14 should help you with that, but please don't comment on closed issues with unrelated questions. #synapse:matrix.org is available for support. |
Hi. |
You can deactivate accounts, if you want to reuse them again try: Checking if the account is deactivated
Update user information to new user
Then login with your refreshed user account Also see https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#id15 for more info, |
Thanks lalilaloe, |
Hi @hmn566 , upd: |
Well. it seems there is no solution for matrix problems. It is better to forget about matrix and go fo other IM solutions. |
|
Of course there are lots of solutions in 2020. For example Rocket chat has complete admin UI with full control on users. the only thing i don't like in that is jitsi but can handle it easier than not having control on users. matrix has only few commands and that's all. |
Delete user Since most tables in the user_id field contain fully-qualified
After that you can register the same user again. |
please, please, please, do not run the above on your database. Or, if you do, please don't open bugs when everything breaks later. |
What else can we do? |
Take it from someone who tried 4 years ago when I set up the database. Only do this on a server where you don't care if you have to re-install it in a few months or with a very understanding community that due to lack of administration tools (because for some reason the matrix concept is based on decentralized administrative roles and information wants to be free) forces us to do weird stuff to manage our organizations/communities. And where you resign the ability to ask for support in any database related issues. TL;DR: Matrix is not a community structured chat service - it's a decentralized chat service without a traditional hierarchy. (I might be using the wrong words here, but the jizt of it should be the same) |
I have just started to use this: https://hub.docker.com/r/awesometechnologies/synapse-admin |
Well. As i understand that may not work as planned , especially for long time users with a dozen of topicks, groups, and etc. The thing is synapse also creates a lot of background information about users and it based not only on @user:domain.com, but also on generated token for each user. |
I've been using this somewhat shorter script successfully many times on our homeserver: https://gist.github.com/rgpublic/afdb4fc42804b15c644cef3bd172717a Make sure you deactivate the user first: https://gist.github.com/rgpublic/8457d98b0fcc0c54893b9907f9b8b825 If you can, you should also try to kick the user out of all rooms manually. In that combination, I found that it works quite well. Other users might have to log out and log in again once for the user to disappear. It's all not perfect and can have risks. But I don't see any alternative at the moment and for a small homeserver, I found it works quite well without too many glitches. I wonder how the mentioned Docker tool does it? |
Ah, interesting: Basically my "deactivateUser" script with "erase: true" argument. So there seems to be a hidden API for this after all...? Could someone perhaps try to extend my script and test this? https://gist.github.com/rgpublic/8457d98b0fcc0c54893b9907f9b8b825 I currently have no user to delete because there haven't been any layoffs (fortunately ;-)). |
|
Suggestion: Renaming deactivated users to @user-deactivated:domain.com a) It will allow for a new users to create a same handle Instead of the work 'deactivate' there can be a slug random slug so that the same name could be registered There is more fundamental question should two people be allowed to use the same handle? I would 'borrow' how it handled by twitter or FB |
This is disallowed on purpose. Reusing handles may create privacy and/or security issues. You may receive messages from people thinking you are the old user still. You may still have permissions granted to that userId in some rooms.
Nope, the history would still be tied to the old MXID, given those are stored in the immutable event DAG. You can't change the sender MXIDs of old events to rewrite history. |
seems that new api brought changes. i adjusted the script to use #!/bin/bash echo -e "\e[97mErase? y/n\e[0m";
not sure if we need the access token. you could try to remove that too and check if it still works reference: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account |
@erikjohnston Please reopen this. I want to delete a matrix user from a script and it's not possible. This is not addressed by any of the issues you linked to justify closing this. How come there's a This is a bug! Please reopen! |
@keith24 it is not a bug. It is an intentional choice. #1707 (comment) |
I want to delete testusers, how can i do this?
The documentation only points out how to register a new user.
The text was updated successfully, but these errors were encountered: