fix: Redact SSO PII before deletion

ktyagiapphelix2u · ktyagiapphelix2u · commit 929fb79369c3 · 2026-05-11T08:48:01.000Z
diff --git a/openedx/core/djangoapps/user_api/accounts/tests/test_signals.py b/openedx/core/djangoapps/user_api/accounts/tests/test_signals.py
@@ -33,6 +33,15 @@ def _create_social_auth(self, uid='user@example.com', extra_data=None):
             extra_data=extra_data,
         )
 
+    def test_get_redacted_social_auth_uid_format(self):
+        """
+        Test that get_redacted_social_auth_uid returns the expected string format.
+
+        This is the single source of truth for the redacted uid format.
+        """
+        assert get_redacted_social_auth_uid(42) == 'redacted-before-delete-42@safe.com'
+        assert get_redacted_social_auth_uid(1) == 'redacted-before-delete-1@safe.com'
+
     def test_signal_warns_and_redacts_when_not_already_redacted(self):
         """
         When a UserSocialAuth is deleted without prior redaction, the signal handler
diff --git a/openedx/core/djangoapps/user_api/accounts/tests/test_utils.py b/openedx/core/djangoapps/user_api/accounts/tests/test_utils.py
@@ -5,13 +5,14 @@
 from completion import models
 from completion.test_utils import CompletionWaffleTestMixin
 from django.db import connection
+from django.db.models.signals import pre_delete
 from django.test import TestCase
 from django.test.utils import CaptureQueriesContext, override_settings
 from social_django.models import UserSocialAuth
 
 from common.djangoapps.student.models import CourseEnrollment
 from common.djangoapps.student.tests.factories import UserFactory
-from openedx.core.djangoapps.user_api.accounts.signals import get_redacted_social_auth_uid
+from openedx.core.djangoapps.user_api.accounts.signals import get_redacted_social_auth_uid, redact_social_auth_pii_before_deletion
 from openedx.core.djangoapps.user_api.accounts.utils import (
     redact_and_delete_social_auth,
     retrieve_last_sitewide_block_completed,
@@ -145,8 +146,25 @@ def test_retrieve_last_sitewide_block_completed(self):
 class RedactAndDeleteSocialAuthTest(TestCase):
     """
     Tests for the redact_and_delete_social_auth utility function.
+
+    The safety-net pre_delete signal handler is disconnected for all tests in this class
+    to verify that redact_and_delete_social_auth itself redacts before deleting,
+    not the fallback signal.
     """
 
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        # Disconnect the safety-net signal so tests verify redact_and_delete_social_auth
+        # itself issues the UPDATE before DELETE, not the signal.
+        pre_delete.disconnect(redact_social_auth_pii_before_deletion, sender=UserSocialAuth)
+
+    @classmethod
+    def tearDownClass(cls):
+        super().tearDownClass()
+        # Reconnect the signal after the test class completes.
+        pre_delete.connect(redact_social_auth_pii_before_deletion, sender=UserSocialAuth)
+
     def setUp(self):
         super().setUp()
         self.user = UserFactory.create(username='testuser', email='testuser@example.com')
@@ -183,17 +201,6 @@ def create_social_auth(self, provider='google-oauth2', uid='user@example.com', e
             extra_data=extra_data,
         )
 
-    def test_get_redacted_social_auth_uid_format(self):
-        """
-        Test that get_redacted_social_auth_uid returns the expected string format.
-
-        This is the single source of truth for the redacted uid format.
-        If this test breaks, the bulk retirement Concat/Cast in utils.py and
-        retire_user.py must also be updated to match.
-        """
-        assert get_redacted_social_auth_uid(42) == 'redacted-before-delete-42@safe.com'
-        assert get_redacted_social_auth_uid(1) == 'redacted-before-delete-1@safe.com'
-
     def test_redact_and_delete_issues_update_before_delete(self):
         """
         Test that redact_and_delete_social_auth issues an UPDATE (redaction) before the DELETE.
diff --git a/openedx/core/djangoapps/user_api/accounts/utils.py b/openedx/core/djangoapps/user_api/accounts/utils.py
@@ -211,12 +211,10 @@ def redact_and_delete_social_auth(user_id, skip_delete=False):
 
     ``skip_delete`` should only be set to True when called from the pre_delete signal
     handler, where deletion is already in progress.
-
-    The uid format matches ``get_redacted_social_auth_uid()``.
     """
     social_auth_queryset = UserSocialAuth.objects.filter(user_id=user_id)
+    # Important: this redacted uid must match the format used by ``get_redacted_social_auth_uid()``.
     social_auth_queryset.update(
-        # Important: this redacted uid must match the format used by  ``get_redacted_social_auth_uid()``.
         uid=Concat(
             Value(REDACTED_SOCIAL_AUTH_UID_PREFIX),
             Cast('id', output_field=CharField()),
