We're trying to make our site GDPR-compliant, and I came across two privacy issues with this app.

The first is simply that avatar image files aren't deleted when a user is deleted. Of course one could first delete the avatars (though see #175), but one would sort of expect everything related to a user to be deleted together with the user (as is the case with database entries).

The second issue is a bit more subtle. The setting AVATAR_EXPOSE_USERNAMES is True by default, which causes the usernames to be exposed as directory names in the avatar image storage. I don't see the upside to this; it would seem preferable to me to make this False by default (in which case the directories are named by user IDs). But more problematic than the use of current usernames is the fact that when a user's username is changed, the directory isn't moved but continues to be named by the old username. For the original uploaded images, this isn't a problem, since their filenames are stored in the Avatar model, so they can still be retrieved and deleted. But the cached resized images in the resized directories are orphaned by this change -- nothing points to them anymore, they're still in the old username directory but can't be accessed or deleted; when they're needed, they get regenerated under the new username. Thus, even if all the user's avatars are deleted before the user is deleted, a directory will still hang around that's named by a previous username and contains cached resized avatar images of the user.

I wrote a migration that resolves this situation by collecting all accessible avatar images in directories named by user IDs and deleting the remaining cached images.