Users (v8) and GDPR... Again

[DennisHermannsen]

*sigh*... Here we go again.

I don't really know what to say anymore. There's a long discussion here about the topic:
 

Despite a lot of feedback, it feels like WHMCS didn't read anything but the first few replies.
In v8.1, WHMCS introduced the ability to delete users. It took them this long despite the fact that it was mentioned to them before the public release of v8.0 that WHMCS currently wasn't GDPR compliant. They released the update anyway. Numerous updates after, and we're finally here - we have the ability to delete users. Everything's good! Well yes, but actually no. I've mentioned it in other threads, but WHMCS took the easy route. They didn't go through the before-mentioned thread. They didn't think about GDPR at all. Even though you can delete users now, you're still saving information about those accounts after it has been deleted.

How do I know?
Before v8 was announced, I started working on a GDPR module that would allow clients to delete their accounts on their own. Everything was thought of - clients could opt to delete their account on a specific date, immediately or when their status would change to inactive due to no active products. It was almost ready to go into production. Introduce WHMCS v8... I spent the next couple of weeks complaining about WHMCS not thinking about GDPR and doing a half-assed job about the functions. When v8.1 was released, I thought I could get going again - but the "Delete User" function was not implemented with much thought...

1. You can't delete a user if that user has access to other accounts. There's no way to see which accounts the user has been invited to. You have to manually check it in the database.
2. There's no way to delete a user through the API yet. Even though it's been suggested multiple times. By now, I would have thought that WHMCS would expand their API before public release when adding new functions.
3. But wait, we can work around the above issues - I've just made some very messy code that pairs User Owner with the Client ID, and then I delete those entries from the database - problem solved!
4. NO! There's an annoying table called tbluser_invites that stores information about invites (why the frick does this needs to be saved forever?) It contains the ID of the invite, the invite token, the ID of the Client that sent the invite, the permissions  and - you guessed it - the fucking email address for the invited user.
   "Well Dennis, can't we just search for the user's current email address and delete entries from the table manually?"
   You could do that, unless the user changes his email address. The entry in the database does not get updated.

The problem is that even though you delete the user, you still store their email address in the database, and there's no way to delete it.

Could someone from WHMCS just sit down with someone who've thought this entire thing through and actually fix the problem? WHMCS 8 has so many good features, but no  company in the EU will be able to upgrade to WHMCS 8 without breaking GDPR compliance.

[Kian]

As far as I know they're working to find a solution but there's no ETA. The problem is that we are talking about the main feature of v8 and they didn't think about GDPR at all. As if GDPR no longer exists 😔  Honestly I don't see how they can fix the problem. I mean, their new account-design is against GDPR by default. How can you fix that? Maybe they should make this new design optional. Or automatically turn it off when WHMCS Default Country is in the EU. Finger crossed.

Personally I'm recommending to all my customers to stay with v7. The moment I explain the problem we have in v8 with GDPR... well... they're are not happy. Fines are real.

Edited December 3, 2020 by Kian

[DennisHermannsen]

15 hours ago, Kian said:

As far as I know they're working to find a solution but there's no ETA

And that's the big problem. v7.10 is going to be EOL in April 2021, so we have to upgrade before that. We have a few modules (self-coded) that needs to be updated but it's impossible to do without knowing how users will work in the next update.

 

15 hours ago, Kian said:

Honestly I don't see how they can fix the problem

And the solution is so easy. When you delete a user, delete all records for that user. Also the invite - just save the ID of the invited user in the tbluser_invites (obviously can't be done until the user has accepted the invite) instead of saving the ID of the user that invited and the user that you invite to (which would always be the same, wouldn't it?). When you then delete a user, just find all records for the user ID and delete them.

I'd also like for the DeleteClient function to have the option to delete the associated owner. It would solve me so much custom code. I've already made all of the code that searches for the user owner ID when deleting a client and deletes everything (except the invite), so I can't understand how WHMCS can't do this.

[WHMCS John]

Hi all,

Thanks for your feedback. I'm pleased to advise that following the major overhaul or the authentication and access systems in v8.0, we've implemented the extra features fed-back by our valued users. Manual  and automatic user deletion, and pruning of the invitation history have all been implemented in v8.1, currently in public pre-release testing:

https://blog.whmcs.com/133664/feature-spotlight-user-deletion-in-whmcs-81

Please give it a try and share your feedback in the pre-release board:

https://beta.whmcs.com

[DennisHermannsen]

3 minutes ago, WHMCS John said:

Hi all,

Thanks for your feedback. I'm pleased to advise that following the major overhaul or the authentication and access systems in v8.0, we've implemented the extra features fed-back by our valued users. Manual  and automatic user deletion, and pruning of the invitation history have all been implemented in v8.1, currently in public pre-release testing:

https://blog.whmcs.com/133664/feature-spotlight-user-deletion-in-whmcs-81

Please give it a try and share your feedback in the pre-release board:

https://beta.whmcs.com

Is there still no way to delete users through the API?

[WHMCS John]

Hi @DennisHermannsen,

A Delete User API command is not currently something we plan to add in v8.1.

However we welcome requests for new API commands online at http://requests.whmcs.com
Feel free to suggest this as a new idea for comment and voting upon by other WHMCS users.

The more votes an idea receives, the more likely it is to be considered by our development team for potential inclusion in a future feature update.