Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

History from previous project is shown #948

Closed
Glandos opened this issue Nov 26, 2021 · 5 comments · Fixed by #994
Closed

History from previous project is shown #948

Glandos opened this issue Nov 26, 2021 · 5 comments · Fixed by #994
Labels
bug security

Comments

@Glandos
Copy link
Member

Glandos commented Nov 26, 2021

  • Create a project
  • Add some participants
  • Show participants creation in history
  • Delete the project
  • Create it again
  • See that old entries are shown in history

This lead to data leak. History must be cleared upon project deletion.
@deepthivalisetti
Copy link

deepthivalisetti commented Nov 30, 2021
edited

Hi. I am trying to solve this issue. Can you let me know if the project is deleted, should the user data also be erased?
As I see, the person is having project id linked and on that basis if the project name is the same as the old one, its fetching the data. I have come up with 2 options.

  • remove the Person data linked to the project
  • remove the Project linked to the Person

@almet
Copy link
Member

almet commented Dec 2, 2021

Hi. I am trying to solve this issue. Can you let me know if the project is deleted, should the user data also be erased? As I see, the person is having project id linked and on that basis if the project name is the same as the old one, its fetching the data. I have come up with 2 options.

* remove the Person data linked to the project

* remove the Project linked to the Person

I don't think you've understood the issue we're facing, so let me explain it differently : the history is stored in a separate database table than the projects. When the project is deleted, history should be deleted too, but it's not the case at the moment.

To solve this issue, you need to also delete the extra information.

@Glandos
Copy link
Member Author

Glandos commented Dec 3, 2021

Yes, history is handled by SQLAlchemy-continuum, and there are some functions to manage this, but I still have to read its documentation :)

@zorun zorun mentioned this issue Dec 9, 2021
Closed
@Glandos
Copy link
Member Author

Glandos commented Dec 21, 2021

First investigations results:

@almet
Copy link
Member

almet commented Dec 21, 2021

Deleting project history on project delete seems a bit hard: what if we need an undelete on it?

Interesting :-) At the moment we don't have any way to do this, unless I missed it. I believe it's alright. If we want to be sure that it's meant to be deleted, then we could maybe let only the person with an access to the specified email receive a confirmation email to delete the project.

@Glandos Glandos mentioned this issue Feb 5, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Purge project history on deletion Glandos/ihatemoney
3 participants
@almet @Glandos @deepthivalisetti