`Log anonymizer details` setting not fully anonymizing usernames

Moin · November 3, 2025, 9:35pm

If you have checked a user’s email address before, their username stays in the staff action logs, even if Log anonymizer details is disabled.

Steps to reproduce:

Disable the Log anonymizer details site setting.
Open the user’s admin page.
Click the “Show” button to view the email address.

Screenshot_20251103_221532_Firefox1815×964 191 KB
Anonymize the user.
Look at the staff action logs.

Screenshot_20251103_222026_Firefox1812×338 88.4 KB

Result: Although the setting is intended to prevent the username from being linked to the anonymized names, it is obvious because of the ‘check email’ log. I would expect the username to be anonymized in the path specified there if the setting prevents the username from being saved.

If the Log anonymizer details setting saves the username in the logs during anonymization, it does not matter that the username stay unchanged in the path.

zogstrip · January 1, 2026, 12:52pm

It’s kinda tricky / dangerous to remove stuff based on the username so I opted out to instead replace the whole context and details fields with a [removed due to user anonymization] message

github.com/discourse/discourse

FIX: Clean up historical staff logs when anonymizing users

main ← fix-anonymizer-historical-logs

opened 12:50PM - 01 Jan 26 UTC

ZogStriP

+47 -0

When `log_anonymizer_details` is disabled, the anonymization process correctly a…voids recording the old username in the new "anonymize_user" log entry. However, historical staff action logs created before anonymization (like "check_email") could still contain the original username in fields like `context` or `previous_value`, making it possible to link an anonymized user back to their original identity. For example, when an admin views a user's email from `/admin/users/123/johndoe`, the staff action log stores that URL path in the `context` field. After anonymization, this path still contains "johndoe", defeating the purpose of the setting. This fix passes the original username to the AnonymizeUser background job, which now scrubs any historical UserHistory records that contain the username. Rather than attempting error-prone string replacement, affected fields are replaced with "[removed due to user anonymization]" to make it clear why the data is missing while preserving the audit trail. Ref - https://meta.discourse.org/t/387500

Topic		Replies	Views
User anonymization and staff_action_logs Support	7	703	September 8, 2021
User still able to log in after anonymization Bug anonymization	4	68	November 30, 2025
Username change logging even if it failed Bug	3	589	May 13, 2019
Profile links not updated after anonymizing an user? Support anonymization	0	122	July 5, 2021
Admins changing user's name (not username) should be logged Bug	5	746	November 22, 2018

`Log anonymizer details` setting not fully anonymizing usernames

Related topics