fix: Redact SSO PII before deletion

ktyagiapphelix2u · ktyagiapphelix2u · commit 7528c082e2c1 · 2026-05-08T13:03:34.000Z
diff --git a/openedx/core/djangoapps/user_api/accounts/signals.py b/openedx/core/djangoapps/user_api/accounts/signals.py
@@ -47,7 +47,8 @@ def redact_social_auth_pii_before_deletion(sender, instance, **kwargs):  # pylin
     # Safety-net in case the record wasn't redacted before delete.
     if instance.extra_data or instance.uid != redacted_uid:
         logger.warning(
-            'Social auth link for user_id=%s, provider=%s was deleted without first being redacted. Redacting in pre_delete.',
+            'Social auth link for user_id=%s, provider=%s was deleted without first being redacted.'
+            ' Redacting in pre_delete.',
             instance.user_id,
             instance.provider,
         )
diff --git a/openedx/core/djangoapps/user_api/accounts/utils.py b/openedx/core/djangoapps/user_api/accounts/utils.py
@@ -207,6 +207,8 @@ def redact_and_delete_social_auth(user_id, skip_delete=False):
     Redact PII from all UserSocialAuth records for the given user, then delete them.
 
     Redaction happens before deletion so that any observers see only sanitised data.
+    Downstream copies of data may use soft-deletes, and redacting before deleting
+    ensures PII for retired users (or future retirements) is not retained.
     The uid format matches ``get_redacted_social_auth_uid()``.
 
     ``skip_delete`` should only be set to True when called from the pre_delete signal
