Proper confirm dialogs for batch anonymise of submissions.

frjo · wes-otf · commit dc7bedaa9256 · 2026-05-20T10:04:36.000-04:00
diff --git a/hypha/apply/funds/templates/submissions/all.html b/hypha/apply/funds/templates/submissions/all.html
@@ -504,9 +504,10 @@
                     </button>
                     {% if SUBMISSION_ANONYMIZATION_ENABLED %}
                         <button
-                            hx-post="{% url 'apply:submissions:bulk-anonymize' %}"
+                            hx-get="{% url 'apply:submissions:bulk-anonymize-confirm' %}"
                             hx-include="[name='selectedSubmissionIds']"
-                            hx-confirm="{% trans 'Are you sure you want to anonymize the selected submissions? All draft submission will be deleted. This action cannot be undone.' %}"
+                            hx-target="#htmx-modal"
+                            hx-swap="innerHTML"
                             class="btn btn-sm"
                         >
                             {% heroicon_outline "user-minus" aria_hidden="true" size=14 class="stroke-base-content/80" %}
diff --git a/hypha/apply/funds/templates/submissions/bulk_anonymize_confirm.html b/hypha/apply/funds/templates/submissions/bulk_anonymize_confirm.html
@@ -0,0 +1,19 @@
+{% load i18n %}
+
+<c-modal.confirm
+    title="{% trans 'Anonymize applications' %}"
+    action="{% url 'apply:submissions:bulk-anonymize' %}"
+    initial_mode="anonymize"
+>
+    <p class="text-sm text-fg-muted">
+        {% blocktranslate trimmed with count=submission_ids|length %}
+            Are you sure you want to anonymize {{ count }} submission(s)?
+            Personal data will be removed and applications will only be accessible
+            via statistics in the Results view. All draft submissions will be deleted.
+            This action cannot be undone.
+        {% endblocktranslate %}
+    </p>
+    {% for id in submission_ids %}
+        <input type="hidden" name="selectedSubmissionIds" value="{{ id }}">
+    {% endfor %}
+</c-modal.confirm>
diff --git a/hypha/apply/funds/urls.py b/hypha/apply/funds/urls.py
@@ -11,6 +11,7 @@
 )
 from .views.all import (
     bulk_anonymize_submissions,
+    bulk_anonymize_submissions_confirm,
     bulk_archive_submissions,
     bulk_archive_submissions_confirm,
     bulk_delete_submissions,
@@ -112,6 +113,11 @@
             name="bulk-delete-confirm",
         ),
         path("all/bulk_delete/", bulk_delete_submissions, name="bulk-delete"),
+        path(
+            "all/bulk_anonymize_confirm/",
+            bulk_anonymize_submissions_confirm,
+            name="bulk-anonymize-confirm",
+        ),
         path("all/bulk_anonymize/", bulk_anonymize_submissions, name="bulk-anonymize"),
         path(
             "all/bulk_update_status/",
diff --git a/hypha/apply/funds/views/all.py b/hypha/apply/funds/views/all.py
@@ -407,25 +407,42 @@ def bulk_delete_submissions(request):
     return redirect(reverse("apply:submissions:list"))
 
 
+@login_required
+@require_http_methods(["GET"])
+def bulk_anonymize_submissions_confirm(request):
+    if not settings.SUBMISSION_ANONYMIZATION_ENABLED:
+        return HttpResponseForbidden()
+    if not permissions.can_bulk_delete_submissions(request.user):
+        return HttpResponseForbidden()
+
+    submission_ids = request.GET.getlist("selectedSubmissionIds")
+    return render(
+        request,
+        "submissions/bulk_anonymize_confirm.html",
+        {"submission_ids": submission_ids},
+    )
+
+
 @login_required
 @require_http_methods(["POST"])
 def bulk_anonymize_submissions(request):
-    if settings.SUBMISSION_ANONYMIZATION_ENABLED:
-        if not permissions.can_bulk_delete_submissions(request.user):
-            return HttpResponseForbidden()
+    if not settings.SUBMISSION_ANONYMIZATION_ENABLED:
+        return HttpResponseForbidden()
+    if not permissions.can_bulk_delete_submissions(request.user):
+        return HttpResponseForbidden()
 
-        submission_ids = request.POST.getlist("selectedSubmissionIds")
-        submissions = ApplicationSubmission.objects.filter(id__in=submission_ids)
+    submission_ids = request.POST.getlist("selectedSubmissionIds")
+    submissions = ApplicationSubmission.objects.filter(id__in=submission_ids)
 
-        services.bulk_anonymize_submissions(
-            submissions=submissions,
-            user=request.user,
-            request=request,
-        )
+    services.bulk_anonymize_submissions(
+        submissions=submissions,
+        user=request.user,
+        request=request,
+    )
 
+    if request.htmx:
         return HttpResponseClientRefresh()
-
-    return HttpResponseForbidden()
+    return redirect(reverse("apply:submissions:list"))
 
 
 @login_required
