Post by marius-ciclistu » Sat Apr 07, 2018 3:18 pm

Hi. According to GDPR the user must have the right to be forgotten (or a button to delete it's account). Is there a reason why that is not implemented by default? If I make it, would I affect some functionality of opencart (2.3.x for example)?

Thank you.

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by thekrotek » Sat Apr 07, 2018 3:39 pm

Customers can enter bogus data in their profile, which is basically the same. Giving customers too much rights is a very bad idea, because in general they're stupid and often mess things up.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by marius-ciclistu » Sat Apr 07, 2018 3:45 pm

I'm not saying that you are not right in some cases...but the GDPR law starting in 25th of may 2018 is stating that users must have some rights... The whole ideea is big , the delete button is just a small portion of it, among with new cookies accept policy ( you must load cookies ONLY after the user accepts it...

This GDPR makes opencart, as it is now and without any payed plugins installed, unusable if you want to have no stress that your firm will be sanctioned....

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by Johnathan » Sun Apr 08, 2018 12:27 am

I think it hasn't been a priority to add to OpenCart because it's just not commonly used. In all my online accounts, I can only think of one or two that actually offer the ability to delete the user account.

If you need to do that in OpenCart, I would suggest giving the customer a link where they can e-mail the request to you. You can then just delete it from the admin panel. That's probably more cost effective than creating an actual front-end function for them to do it themselves, though that would possible. You'd probably have to hire someone to write a custom modification for you, since I doubt that feature will make it into OpenCart soon (though I could be wrong, it's up to Daniel).

If you need to find a developer, you should post a request in the OpenCart "Commercial Support" forum, which is checked by a number of OpenCart developers. You can also try checking out the OpenCart "Partners" area.

Image Image Image Image Image


User avatar
Administrator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by marius-ciclistu » Sun Apr 08, 2018 1:19 am

I started doing it my self...but...I'm in doubt now if to scrap the opencart installation and replace it with static pages as, in my case, it has only 3 products.... The delete button for customer is not a big deal... But then there is the export of data stored about that customer...that can exist also without an account...and the cookies being used only after accept from the user....
There are many tabels in db that store data about the customer....even if the delete account only alters 4 or 5 of them....
There is a paid plugin for export but it sends the info via email and that is not secure in my opinion...and that plugin doesn't cover the cookies and delete options(i hope i'm not wrong).

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by agatha65 » Mon Apr 09, 2018 11:03 am

The customer couldn't delete his account because it is related to the orders and the store owner has to be able to present the order information for taxes(for different countries is from 3 to 10 years ).

Suppliers Module - XML, CSV, XLS Product Feed Import and Update
Rich Snippets | Facebook Open Graph Meta Tags | WebP Images
Image


User avatar
Active Member

Posts

Joined
Fri Mar 16, 2012 10:18 am
Location - Canada, QC

Post by marius-ciclistu » Mon Apr 09, 2018 3:10 pm

agatha65 wrote:
Mon Apr 09, 2018 11:03 am
The customer couldn't delete his account because it is related to the orders and the store owner has to be able to present the order information for taxes(for different countries is from 3 to 10 years ).
I understand now. Well I'll wait then to see if opencart will be made to respect the new GDRP law...

Thank you all.

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by MrPhil » Tue Apr 10, 2018 2:22 am

A customer should be able to request that their data be taken offline, but as has been pointed out, there may be statutory requirements that the store keep it around for some period. The GDPR law is not well thought-out, and though it is founded on good intentions, it practice it is going to be a nightmare.

User avatar
Active Member

Posts

Joined
Wed May 10, 2017 11:52 pm

Post by marius-ciclistu » Tue Apr 10, 2018 2:51 am

MrPhil wrote:
Tue Apr 10, 2018 2:22 am
A customer should be able to request that their data be taken offline, but as has been pointed out, there may be statutory requirements that the store keep it around for some period. The GDPR law is not well thought-out, and though it is founded on good intentions, it practice it is going to be a nightmare.
For me, the fact that you must load cookies only after the user accepts them, is the thing that can affect SEO and can make the websites look as adult websites, with popup asking for cookie accept....

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by straightlight » Tue Apr 10, 2018 4:49 am

The analogy posted on this topic is correct. This has been discussed before. Deleting customer accounts may reflect bad results to the orders that were completed among the same year period. Customers can still require to the store owners that their account gets deactivated as a service request. Idealistically, it would even be best to add a ticketing system extension so to ensure that the customer's ID and the date of the request is duly noted with his notes indicating proof of the deactivation process.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by MrPhil » Wed Apr 11, 2018 12:06 am

marius-ciclistu wrote:
Tue Apr 10, 2018 2:51 am
For me, the fact that you must load cookies only after the user accepts them,
Not true. Temporary cookies required for basic function do not need permission. Long-term cookies that invade privacy (beacons, tracking cookies) are what the law is supposed to require you to ask permission for. If the bureaucrats start dinging you for session cookies, it's time to disconnect the EU from the Internet. Let them go back to the Stone Age.

User avatar
Active Member

Posts

Joined
Wed May 10, 2017 11:52 pm

Post by marius-ciclistu » Thu Apr 12, 2018 2:01 am

MrPhil wrote:
Wed Apr 11, 2018 12:06 am
marius-ciclistu wrote:
Tue Apr 10, 2018 2:51 am
For me, the fact that you must load cookies only after the user accepts them,
Not true. Temporary cookies required for basic function do not need permission. Long-term cookies that invade privacy (beacons, tracking cookies) are what the law is supposed to require you to ask permission for. If the bureaucrats start dinging you for session cookies, it's time to disconnect the EU from the Internet. Let them go back to the Stone Age.
quote from https://www.itgovernance.eu/blog/en/how ... -policies/

Cookies are mentioned only once in the EU General Data Protection Regulation (GDPR), but the repercussions are significant for any organisation that uses them to track users’ browsing activity.

Recital 30 of the GDPR states:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In short: when cookies can identify an individual via their device, it is considered personal data.

Now please give your opinion about the default cookie, PHPSESSID cookie, currency cookie and language cookie that opencart uses.

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by straightlight » Thu Apr 12, 2018 2:18 am

PHPSESSID cookie
What about it?
currency cookie
Nothing to declare. Otherwise, I wouldn't imagine the database transaction intensity regarding the management of the currencies multiplied by the mount of users visiting the site.
language cookie
Not much security issue to be concerned about since it is a language parameter being applied with a POST method from the TPL / TWIG files over their relative controllers (by default). The only concern to wonder about are regarding the orders and the downloads wish I already cover on this topic: viewtopic.php?f=24&t=203124

As far as I am concerned with the use of cookies from Opencart over the GDPR compliance policy, there isn't much obstacle politically happening on that end.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by marius-ciclistu » Thu Apr 12, 2018 2:31 am

As far as a developer understands cookies you are right (you forgot to mention the default cookie).

The problem is, the law enforcement people are not php developers......

I saw your mods. Nice, thank you.

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by straightlight » Thu Apr 12, 2018 2:40 am

The problem is, the law enforcement people are not php developers......
The goal of presenting the Opencart platform to the public, mainly, is for people to understand that no programming skills are required in order to use the OC admin and the store-front end interface. If PHP skills were specifically required, then providing its services over the forums or from site support would be totally useless. Which is why, the forum has been ... 'integrated' (rather than built?) so to provide services to the users who seeks for help with the platform.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by marius-ciclistu » Thu Apr 12, 2018 2:45 am

You are right. I meant that the law enforcement interprets the law, and the law is unclear and general about the cookie term. If you ask me, at least the PHPSESSIS enters under the GDPR terms and must me loaded only after acceptance, but I could be wrong... I still don't know the defaults cookie purpose.( in 2.3.x)

In 3.x there are only OCSESSID, currency and language.

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by straightlight » Thu Apr 12, 2018 2:49 am

If you ask me, at least the PHPSESSIS enters under the GDPR terms and must me loaded only after acceptance
This analogy would be incorrect. The PHPSESS function is server-based and does not require user approval to provide a generic session ID to the user.
PHP uses one of two methods to keep track of sessions. If cookies are enabled, like in your case, it uses them.

If cookies are disabled, it uses the URL. Although this can be done securely, it's harder and it often, well, isn't. See, e.g., session fixation.

Google for it, you will get lots of SEO advice. The conventional wisdom is that you should use the cookies, but php will keep track of the session either way.
Source: https://stackoverflow.com/questions/137 ... -phpsessid

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by marius-ciclistu » Thu Apr 12, 2018 3:10 am

This will be my last reply on this issue about cookies. :) What you wrote I already know. But try explaining that to a NON IT person:) PHPSESSID is for identifying the user to the server, even if the user is not logged in, this cookie (even if it's a randon string) with IP for example, can be used for identifying the user, so it's under GDPR terms......

New member

Posts

Joined
Sat Nov 24, 2012 6:22 am

Post by straightlight » Thu Apr 12, 2018 3:20 am

As far as I am concerned, OC v3.0.3.0b no longer has this issue since I can find no trace of cookies being used with PHPSESSID. OC v3.0.2.0 only uses this on openbay for remote connections but has been removed since the last unofficial release even though the $this->session->getId() may use an alternate method to gather a user-defined session ID.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Thu Apr 12, 2018 3:32 am

In addition, the default installation of Opencart initiates those sessions with the sessions table which despites the GDPR compliancy since the session ID is not directly provided on the front-end of the browser but still being provided to the browser. The system/library/session.php file destroys its session ID based on the selected adaptor which, again - by default, is over the database after an interval of 1 hour in anyhow or if the generated session ID is unmatched.

The only concern with the GDPR compliancy would be with those users who rather defines the adaptor configuration by file rather than the database. That's a question I will have to ask on Github.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 172 guests