fix: retirement PII leaks by redacting pending secondary email/name data

ktyagiapphelix2u · ktyagiapphelix2u · commit d929ff9ed943 · 2026-05-07T06:59:18.000Z
diff --git a/common/djangoapps/student/views/management.py b/common/djangoapps/student/views/management.py
@@ -893,9 +893,8 @@ def activate_secondary_email(request, key):
     # Overwrite the pending email with a neutral placeholder before deletion so
     # that any downstream soft-delete mirror does not retain the real address.
     # We do NOT use get_retired_email_by_email() here because this is a normal
-    # user action, not a retirement flow; a hashed retirement-style value would
-    # produce false-positive retirement signals in downstream systems.
-    pending_secondary_email_change.new_secondary_email = "completed@delete-pending.com"
+    # user action, not a retirement flow.
+    pending_secondary_email_change.new_secondary_email = "redacted@retired.invalid"
     pending_secondary_email_change.save(update_fields=['new_secondary_email'])
     pending_secondary_email_change.delete()
 
