openedx
There is no way to disable account deletion in the Account MFE
In the legacy account view from edx-platform, it was possible to remove the possibility of account deletion by defining the ENABLE_ACCOUNT_DELETION feature flag:
Source: https://edx.readthedocs.io/projects/edx-platform-technical/en/latest/featuretoggles.html#featuretoggle-FEATURES%5B'ENABLE_ACCOUNT_DELETION'%5D https://github.com/openedx/edx-platform/blob/20de3c71b4951472947917d2388e8412f53f6bcc/openedx/core/djangoapps/user_api/accounts/settings_views.py#L142
Now, in the frontend-app-account MFE, this feature flag seems to be ignored: https://github.com/openedx/edx-platform/blob/20de3c71b4951472947917d2388e8412f53f6bcc/openedx/core/djangoapps/user_api/accounts/settings_views.py#L74
As a consequence, it is no longer possible to disable account deletion.
This issue was detected following this conversation: https://discuss.openedx.org/t/some-feature-toggles-dont-work/7635
I am probably missing a lot of context in here, but based on the origins of the flag ENABLE_ACCOUNT_DELETION in PR and in order to be GDPR compliant on the 'Right to be forgotten' I do not believe this is a bug. Missing the possibility of disabling account deletion looks like a intentional decision? Again I do not have full context.
- If account deletion is mandatory, then the feature flag should be removed.
- If platform administrators are able to disable account deletion, then this feature flag should be respected.
I think that we should go with option 2. For instance, account deletion could be disabled outside of Europe or in private Open edX instances.
You need to consult with the Legal about this issue. That's because many jurisdictions around the world have laws similar to GDPR which stipulates that a user must be able to delete the account at any moment.
There are some cases where user account deletion should be deactivated. For instance when running a private instance of Open edX inside a company. In such cases GDPR does not apply.
The default should be to allow account deletion (according to GDPR) but platform administrators should be able to deactivate this feature (IMHO).
Hi! Since this was dropped by alfstooqi, maybe i can have a go at it if no one is working on it. Let me know if it is a problem.
I have take some time to learn more about the project, and i have some questions about the issue. Will create a environment variable (ENABLE_ACCOUNT_DELETION) on the front end and hide the component be enough? Is spectated to show any message, letting the user know that his account cannot be delete, and if he want, he need to call the support or something like that?
Hi @JonasBM, thanks for your contribution! I see you opened a PR in account MFE that was already approved. Let us know when it's merged! Also, there was also a fix in the backend, can you link the PR for that one as well? Thanks!
Hi @mariajgrimaldi Someone asked to contribute to the backend issue, but looks like he is not gonna fix it. I will try to make a PR to fix the backend this week, so maybe we can close this issue.
@mariajgrimaldi the PR was merged on the MFE. Regarding the backend part, @kiran1415 seems to be taking care of it.
Hi, this could be marked as complete because it depends on these two PRs:
-
https://github.com/openedx/frontend-app-account/pull/817
-
https://github.com/openedx/edx-platform/pull/33062
I already tested it and it works perfectly :smile:
Pdt: this PR is already in quince so if we backport this one it could also be available in quince.master
I remain attentive to your recommendations
Thank you so much for helping us out, @DonatoBD! I'll close this now. If any other issue arises, a new ticket should be opened.