It’s kinda tricky / dangerous to remove stuff based on the username so I opted out to instead replace the whole context and details fields with a [removed due to user anonymization] message
main ← fix-anonymizer-historical-logs
approved 10:35AM - 08 Jan 26 UTC
When `log_anonymizer_details` is disabled, the anonymization process correctly a… voids recording the old username in the new "anonymize_user" log entry. However, historical staff action logs created before anonymization (like "check_email") could still contain the original username in fields like `context` or `previous_value`, making it possible to link an anonymized user back to their original identity.
For example, when an admin views a user's email from `/admin/users/123/johndoe`, the staff action log stores that URL path in the `context` field. After anonymization, this path still contains "johndoe", defeating the purpose of the setting.
This fix passes the original username to the AnonymizeUser background job, which now scrubs any historical UserHistory records that contain the username. Rather than attempting error-prone string replacement, affected fields are replaced with "[removed due to user anonymization]" to make it clear why the data is missing while preserving the audit trail.
Ref - https://meta.discourse.org/t/387500
3 Likes