A few months ago I went through the list of users on my system and deleted all of the ones that are no longer users. When I look at Site administration > Users > Browse list of users, they are not there so I (foolishly) believed that they had been deleted. Today I was doing some work with mysqldump and found that they all still exist in the database but are apparently just flagged so that Moodle doesn’t display them.
In these days of heightened security awareness, GDPR and FERPA, why aren’t “deleted” users actually deleted and why isn’t this documented? https://docs.moodle.org/38/en/Capabilities/moodle/user:delete
Searching the community forums it appears that there is no way to really delete user information from within Moodle without adding one or more plugins and that developers can’t even agree on the best way to erase the data.
As a Sys Admin my first instinct would be to use SQL commands to remove the deleted users but there seem to be several people warning against this. How do I tell my boss that we’re ready for an audit when there is such a glaring hole in Moodle’s security?! What other security “gotchas” are lurking in the depths of the thousands and thousands of entries of the community forums?Natassia