Allow users to delete their accounts from Rest API

  • As it is I can only delete users by providing the Auth token for admin accounts.

    This behaviour isn’t compliant with GDPR law, so I’m wondering if I can allow users to delete their own account with the Rest api.

    To specify I’d like to be able to make the following request:

    DELETE /wp-json/wp/v2/users/<id>?reassign=9&force=true

    Using the user’s auth token as Authorization.

    I’m aware there’s plugins that some plugins allow this from wp-admin, however I’m unsure if they encompass the api as well.

    I’d like a function.php solution if that’s possible.

    • This topic was modified 4 years, 10 months ago by Jan Dembowski.
Viewing 3 replies - 1 through 3 (of 3 total)

  • It is possible that you may have a significant misunderstanding of the requirements of the GDPR. Please contact a licensed professional in the relevant jurisdiction, with specific expertise in internet privacy, combined with coding practices.

    Allowing users to delete accounts via REST will also very likely expose a site to attackers (bots in particular) trying to maliciously delete user data.

    Functions.php is a theme-specific file and is not advisable in such a case.

    Thread Starter creativiii

    (@creativiii)

    Hi,

    Thank you for the quick response. While it’s good to know that we’re not breaching gdpr I’d stil like the functionality.

    I asked for a functions.php solution so I could implement it within a plugin, that may have not been clear!

    Let me know if you can help.

    Moderator bcworkz

    (@bcworkz)

    Removing personally identifiable information per GDPR requirements is not the same as completely removing a user’s records. Only roles with “delete_users” capability can completely delete user records, so it’s not really feasible to do so for common users through the /users/ API route. I suggest creating a custom route/endpoint if you really want to do this. This will help you bypass some of the restrictions WP imposes.

    There is significant risk of abuse if this is not done properly. Take great care to ensure all security related measures are in place so deleting one’s own user records is the only possible action no matter what. Be sure that all related data is removed, such as those in user meta.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Allow users to delete their accounts from Rest API’ is closed to new replies.