[BUG] Deleted user can be re-identified

[tyrandus]

When a user is deleted, JSON objects in the history_historyentry table persist and allow for re-identification.

Steps to reproduce

• Create a new user in the Django admin interface.
• Log in as the new user.
• Create a new SCRUM project.
• Delete the user account (from their own account settings).
• Check the database tables users_user and history_historyentry.

Details

As all user data should be deleted when a user decides to remove their account, I would have assumed that there is no trace left that can link the user and any other data stored in the database. However, this is not the case. The approach seems to be to generate a ghost user, i.­e., all sensitive attributes in the users table are replaced (e.­g., the name becomes Deleted user):

taiga=# SELECT * FROM users_user;
 id |                                    password                                    |          last_login           | is_superuser |                  username                  |                        email                        | is_active |  full_name   |  color  | bio |                                       photo                                         |          date_joined          | lang | timezone | colorize_tags | token | email_token |              new_email              | is_system | theme | max_private_projects | max_public_projects | max_memberships_private_projects | max_memberships_public_projects |               uuid               | accepted_terms | read_new_terms | verified_email | is_staff |        date_cancelled         
----+--------------------------------------------------------------------------------+-------------------------------+--------------+--------------------------------------------+-----------------------------------------------------+-----------+--------------+---------+-----+------------------------------------------------------------------------------------+-------------------------------+------+----------+---------------+-------+-------------+-------------------------------------+-----------+-------+----------------------+---------------------+----------------------------------+---------------------------------+----------------------------------+----------------+----------------+----------------+----------+-------------------------------
  8 | !43rymrEmEQFW6ugLlryibTjT0uVHqS3zGc5dfKKb                                      | 2022-05-24 18:41:43.213797+00 | f            | deleted-user-1653418385801                 | deleted-user-1653418385801@taiga.io                 | f         | Deleted user |         |     |                                                                                    | 2022-05-24 18:41:26.270247+00 |      |          | t             |       |             | deleted-user-1653418385801@taiga.io | f         |       |      |                     |                                  |                                 | 95df1e58c1d14e349bef75028a070e88 | t              | f              | t              | f        | 2022-05-24 18:53:05.802388+00

With the help of the JSON entries in the history_historyentry table, this information can be restored, though. For instance, the user column contains the user name and their ID for each event in the history: {"pk": 8, "name": "user"} (obtained by SELECT * FROM history_historyentry;). With the help of this information, one can easily guess that the 'Deleted user' from the other table is indeed called 'user'. Moreover, user details in the history are preserved and not anonymized, which might be in conflict with GDPR requirements.

Environment

I am using taiga-docker on branch stable (last commit: bd87d40f3c22def83ea6a502d3f16797c2933b2e). No errors were found in the container logs or the developer console.

• OS: Ubuntu 20.04.4 LTS
• Browser: Firefox 100.0.2 (64 bit)