• Hey Guest, don't forget to VOTE on each RFC topic. Your voting determine Chevereto development! No votes, no development.
  • Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • 😌 This community is user driven. Be polite with other users.
    • 👉 Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • 💸 Purchase a Pro Subscription to get access to active software support and faster ticket response times.

User Login History

siddharth

💖 Chevereto Fan
💡Describe your Feature request

As of now, there is no way to see this info.

1) Last login time of the user
2) Login history with IP, Browser, OS and Country history

Based on this, we can have info in the dashboard about (as a separate RFC)

1) Active users for the past 24 hours or week or month
2) Current login users count
 
Last edited:
There are 2 overlapping RFC here, in both cases it is about pretty much the same concern. Don't mind that much about which topic should remain, long as both tickets aims towards a common goal.

1) Last login time of the user
This one is about "last seen" datetime.

2) Login history with IP, Browser, OS and Country history
To implement "last seen" we require to store some of these fields in a new database table.

These depends on "last seen":

1) Active users for the past 24 hours or week or month
That list can be built with the data of the table described above.

2) Current login users count
That count can be also built with the data from the table above.
 
This shouldn't be implemented as it is against GDPR law. To store users login history data for the benefit of others to see would be breeching their privacy. Even updating your Privacy Policy to make users aware that you are tracking their login history is making you a target for a lawsuit.
 
This shouldn't be implemented as it is against GDPR law. To store users login history data for the benefit of others to see would be breeching their privacy. Even updating your Privacy Policy to make users aware that you are tracking their login history is making you a target for a lawsuit.

Please link to the article or the rules where it says we cannot store login history from some reputed website.

Dont create your own laws as I am aware we need to honour the user request when they want to delete the details from the website. No where it mentioned we cannot store the login history.

 
Last edited:
Please link to the article or the rules where it says we cannot store login history from some reputed website.

Dont create your own laws as I am aware we need to honour the user request when they want to delete the details from the website. No where it mentioned we cannot store the login history.

So. A user is not happy with their "Last Seen" information being displayed on your website. How do you propose you remove it for one single user?

I am very well versed in GDPR and I had to take a course in it for my work. Displaying users "Last Seen" information is a breech of Privacy and lots of online communities have removed that information to comply.

No point in explaining when you dont get an idea of the RFC. I am not going to make any reply to this thread further as there is no point in arguing with you.

Let me save my time.

Just as you said in another post, I also don't have time to explain to you what you can and can't do with regards to GDPR.

If this gets implemented into Chevereto I will remove the code as it violates users privacy.
 
You don't have to explain to me, but if you don't want it to be implemented or don't want the author to consider your request, you need to submit valid proof that it violates the GDPR law.

GDPR is the law, and you can quickly refer to some online article to make your statement valid. Till then, it won't be considered a valid statement. Until then, it will be considered only as some user with half-known GDPR law commenting about it.

FYI - Google.com - https://support.google.com/mail/answer/45938?ctx=gmail&hl=en&authuser=6
 
Last edited:
If a feature potentially breaks the gdpr (or any other law) then mention this in the RFC comments: "I would like an option to turn this off because it breaks X law".

If something breaks the law in your context then ask for an on/off switch, not to take down the RFC.

P.S. This is for all applicable laws, not just GDPR.
 
I am extremely well versed in privacy rights. I am studying a doctorate on that level. There's nothing illegal about this.

Access logs are legal with GDPR. You can track your users last login dates, even, if they wish to hide it from the public. However, you're an administrator, you should still be able to see this, if, this feature gets added.

SQL is secure and encrypted by default. If you don't put a password on your database that is kind of a site owner problem and not a Chevereto problem.

The key to staying compliant here in California and GDPR are:
1) allow a user to delete their data entirely.
2) allow a user to download their data (Chevereto already has this in the admin panel)
3) encrypt the access log (aka store it in SQL not a plain text file) again Chevereto already does this.

Also Chevereto only has to really obey Chile law.
 
To be fair, SQL databases aren't encrypted by default. The password only restrict access to the database, it doesn't provide the cipher function you describe. The cipher function is usually provided on the system running the database (for example a virtualized server) or directly (as the encryption added recently in Chevereto).

The difference is subtle, but in both cases the logs are encrypted. Let's just hope they don't go this technical in the future 😅.
 
This shouldn't be implemented as it is against GDPR law. To store users login history data for the benefit of others to see would be breeching their privacy. Even updating your Privacy Policy to make users aware that you are tracking their login history is making you a target for a lawsuit.
GDPR law does not say it isn't allowed to store users ip and such, but it does say that if user want's to leave then site is guilty to wipe the users data off the site and no longer store it. Site may also not hand out the information to 3rd parties and such since it acts as personlized information. For example before this Facebook would sell every information from accounts on their site to 3rd parties, but now that GDPR law is here it forbidds facebook from doing so and it is also forbidden to transfer data stored in european over to US servers that contains spersonlized information about the user accounts such as first name, last name, adress and so on.

I do suggest you to re-read what GDPR law actually is. Since if GDPR law forbidds site from storing users ip, then how shall site combat abusive accounts? like how is law enforcement going to get ip from these accounts if GDPR law forbidds it? That does not make sense at all.
 
Back
Top