feat: redact PII fields before delete in user retirement flows

[ktyagiapphelix2u]

Summary

Adds support for redacting sensitive PII fields before deletion in DeletableByUserValue models.

Changes include:

• Added redact_before_delete_fields hook to model mixin
• Redact emails before delete for:
  • CourseEnrollmentAllowed
  • PendingEmailChange
  • UnregisteredLearnerCohortAssignments
• Added SQL assertion helpers to verify UPDATE occurs before DELETE
• Added regression/unit tests for safe ID-filtered redaction and deletion flows
• Updated email change flow to use delete_by_user_value

Ticket & Reference

https://2u-internal.atlassian.net/browse/BOMS-498

Related PR

https://2u-internal.atlassian.net/browse/BOMS-565
https://2u-internal.atlassian.net/browse/BOMS-564

[robrap]

I don't really understand this test. Should it just have lines 617 and 618, where you ask to redact on a user that isn't in the table, and it returns that it didn't redact?

All the other details about the user 1 email change seem irrelevant and confusing. If you think it is important, I'd need better comments.

[ktyagiapphelix2u]

The test now:

1. Has a clear docstring explaining it verifies redacting a user with no pending email change returns False
2. Only tests the relevant behavior - calling redact on user2 (who has no email change record) returns False
3. Removes the confusing assertions about user1's email change data remaining unchanged

[robrap]

• Docstrings should have a one line summary, and an optional blank line and longer description. Like a comment message.
• Also, maybe add something like:

        Returns True if redacted, and False if no matching records found.

[ktyagiapphelix2u]

Done. Condensed to a one-line summary + the Returns line

[Akanshu-2u]

The PR description explicitly identifies activation_key as sensitive data that can still persist indirectly in logs, backups, or downstream systems. However, the implementation only redacts new_email . activation_key is left as-is. If downstream systems snapshot these rows, the activation key still leaks. It should be cleared before deletion, e.g.:

Suggested change

	record.new_email = get_retired_email_by_email(record.new_email)
	record.save(update_fields=['new_email'])
	record.new_email = get_retired_email_by_email(record.new_email)
	record.activation_key = '' # or a redacted value
	record.save(update_fields=['new_email', 'activation_key'])

[ktyagiapphelix2u]

@Akanshu-2u The activation_key field has a unique=True database constraint. If we attempt to redact it to a fixed value (empty string or redacted placeholder), we'll violate this constraint when processing multiple users, causing database integrity errors.

Additionally, the activation key is a random UUID with no PII - it's just a token

[robrap]

@ktyagiapphelix2u: The PR description mentions the activation key. I agree that this PR should not touch it, but can you update the PR description to remove any mention of it? Thanks.

[ktyagiapphelix2u]

Sure I have updated the PR Description

[Akanshu-2u]

If activation_key redaction is added, this assertion must be updated to verify the key is also cleared/replaced. As-is, this test will need to change regardless once above issue is fixed.

[ktyagiapphelix2u]

This test assertion is correct as-is and does not need to change.

As explained in the previous comment thread, we are not adding activation_key redaction

[Akanshu-2u]

Both queries fetch the same data. Since the queryset is lazy, .exists() and the for loop each trigger a separate SQL query. Change to:

Suggested change

	records_matching_user_value = cls.objects.filter(**filter_kwargs)
	if not records_matching_user_value.exists():
	return False
	for record in records_matching_user_value:
	records = list(cls.objects.filter(**filter_kwargs))
	if not records:
	return False
	for record in records:

This is a single DB hit, which matters more if the field filter ever doesn't use the OneToOneField on user.

Note: The change is optional.

[ktyagiapphelix2u]

Since PendingEmailChange has a OneToOneField on user, this will only ever return 0 or 1 records, so the memory impact is negligible while reducing database round-trips.

Thanks Updated

[robrap]

@ktyagiapphelix2u: The PR description mentions the activation key. I agree that this PR should not touch it, but can you update the PR description to remove any mention of it? Thanks.

[robrap]

Don't we just want to redact in delete_by_user_value before the delete happens? We'd use the same simple value from other PRs, like redact-before-delete@redacted.com. And this would resolve for any flow that is deleting this record, including retirement flow or completion of pending email changes, etc.

[robrap]

Additionally, I am alluding to two bugs in my above comment. Are these accurate? The PR description does not yet mention both of these. Also, the ticket has an AC that mentions three bugs. Is there another, or is that a copy/paste issue in the ticket?

[ktyagiapphelix2u]

Yes, there are two bugs this addresses:

Retirement flow - PendingEmailChange.delete_by_user_value() was called during account retirement without first redacting new_email, leaving the PII briefly visible (and in any soft-delete/audit snapshot taken at delete time).

Email confirmation flow - confirm_email_change in management.py also calls delete_by_user_value() when a pending email change is confirmed or cancelled, and it had the same gap. Moving the redaction inside the method fixes both flows simultaneously.

[vgulati-apphelix]

This change addresses a privacy issue in the retirement flow for users who have a pending primary email change.

Please elaborate the problem statement and solution provided.

[ktyagiapphelix2u]

Done. Condensed to a one-line summary + the Returns line

[ktyagiapphelix2u]

Sure I have updated the PR Description

[ktyagiapphelix2u]

Yes, there are two bugs this addresses:

Retirement flow - PendingEmailChange.delete_by_user_value() was called during account retirement without first redacting new_email, leaving the PII briefly visible (and in any soft-delete/audit snapshot taken at delete time).

Email confirmation flow - confirm_email_change in management.py also calls delete_by_user_value() when a pending email change is confirmed or cancelled, and it had the same gap. Moving the redaction inside the method fixes both flows simultaneously.

[ktyagiapphelix2u]

@robrap Redact at Call Sites (What you're suggesting)

In management.py:

# Email confirmation flow
user.email = pec.new_email
user.save()

# Redact inline before delete
pec.new_email = 'redacted@retired.invalid'
pec.save()
pec.delete()

In accounts/views.py:

# User retirement flow
# Redact inline before delete
PendingEmailChange.objects.filter(user=user).update(new_email='redacted@retired.invalid')
PendingEmailChange.objects.filter(user=user).delete()

What the current approch is

@classmethod
def delete_by_user_value(cls, value, field):
    records = cls.objects.filter(**{field: value})
    records.update(new_email='redacted@retired.invalid')
    records.delete()
    return True

In both call sites:
PendingEmailChange.delete_by_user_value(user, field="user")

# management.py - must remember to redact
pec.new_email = 'redacted@retired.invalid'
pec.save()
pec.delete()

# accounts/views.py - must remember again
records.update(new_email='redacted@retired.invalid')
records.delete()

# Future code in some other file 
pec.delete()  # ←if they forget to redact

So current implementation is correct

# Change in ONE place:
@classmethod
def delete_by_user_value(cls, value, field):
    records.update(new_email='redacted@retired.invalid')  #Only here
    # All callers automatically get the new value!

[ktyagiapphelix2u]

@robrap
PendingEmailChange overrides delete_by_user_value from DeletableByUserValue (in model_mixins.py) because the parent's version only deletes it has no knowledge of PII fields. The issue was that Fivetran's soft-delete ETL preserves deleted rows, so if new_email isn't redacted before deletion, the PII leaks downstream. The override works via Python's MRO: when any caller invokes PendingEmailChange.delete_by_user_value(...), Python finds the method on PendingEmailChange first and uses it automatically getting redaction without any change to the callers. We can't put the redaction logic in model_mixins.py itself because it's a generic mixin used by many models (UserOrgTag, CourseEnrollmentAllowed, etc.) that don't have a new_email field adding it there would either crash other models or force callers to pass field names in, which breaks loose coupling by making callers responsible for knowing a model's internal PII fields. The override keeps the design clean: callers stay unchanged, and each model owns its own redaction logic.

[ttak-apphelix]

mock_register is silently unused, comment doesn't explain why it's patched.

[ktyagiapphelix2u]

What I changed:

Removed the unused-argument suppression from the test.
Added an explicit assertion to use the patched mock:

mock_register.assert_called_once_with(self.request, expected_new_email)

[ttak-apphelix]

The test is verifying both (a) that redaction ordering is correct AND (b) that the email change itself succeeded end-to-end. The existing test_successful_email_change already covers the success path. This test should only assert the redaction ordering plus the record being gone — the response content, user email update, and ace_mail.send.call_count assertions are noise here and make it harder to understand what the test is actually for.

[ktyagiapphelix2u]

I narrowed test_successful_email_change_redacts_pending_email_before_delete so it now only checks:

SQL ordering: UPDATE on student_pendingemailchange occurs before DELETE.
The pending email change record is removed (PendingEmailChange.objects.count() == 0).

[robrap]

Thanks.

[robrap]

This is how I think I'd handle this...

Create a redact_before_delete_fields in DeletableByUserValue that returns a dict of fields and their redacted values.

• The default implementation of redact_before_delete_fields would return None or {}.
  • Not sure if you need to work with kwargs instead of a dict, and how that is done.
• The method docstring would be something like:

Returns dict of PII fields that will be redacted before delete, and their redacted values.

Always returns empty dict, unless overridden. Results will be used by `delete_by_user_value`
to redact before delete. This can be used by models containing PII, in case the data is synced
downstream, where soft-deletes would otherwise keep copies of the PII.

Then update delete_by_user_value to make use of this method to redact before delete. Then you wouldn't need this redundant implementation. As written, there is no need to even include DeletableByUserValue, since it has one method, it is overwritten, and the super is never called.

This would move the major testing to DeletableByUserValue as well. We'd have to determine if we'd want a shared test script for the actual models, or a mock of redact_before_delete_fields just to ensure it is called with the correct fields? Maybe we mock for now, or use a shared test method, to remove redundancy and then consider a refactor later?

Additionally, redact-pii-before-delete can happen under two circumstances:

1. During user retirement, where I don't think any operator would complain, or
2. Outside of user retirement, like sometimes occurs with a PendingEmailChange that is no longer pending.

For case 2, we are opting to redact early, which corrupts downstream soft-deleted data for users that are not retired, and may never retire. We are choosing for simpler/safer retirement, rather than later needing to track all these cases down and hard-delete this data from our downstream sync.
@bmtcril: Is it ok to make this decision for everyone, or would we want a setting named ENABLE_PII_REDACT_BEFORE_DELETE for circumstances like this? Related, if we added the setting, what would be its default?

[ktyagiapphelix2u]

We need to discuss this

[robrap]

Suggestion:

1. test_retire_user could have with CaptureQueriesContext(connection) as ctx:,
2. The SQL assertions could be moved to a test helper associated with DeletableByUserValue (e.g. a TestDeletableByUserValue mixin)?
3. test_retire_user calls the new assertion helper.

Otherwise, this adds a redundant test (which will be multiple redundant tests later), just to add some additional assertions.

[robrap]

I'd leave out this change. Eventually will be doing the same for all of these.

[ktyagiapphelix2u]

Updated

[robrap]

Note: This isn't actually a different test from test_successful_email_change, but simply an additional assertion. If we cleaned up the assertion code we probably don't need a separate test. See other comments for notes about cleaning up tests.

[ktyagiapphelix2u]

Done

[robrap]

Can we get this from PendingEmailChange? It's just a question that might make the assertion helper calls cleaner.

[ktyagiapphelix2u]

I switched it to PendingEmailChange._meta.db_table, so the test no longer hard-codes the table name and the helper call is a bit cleaner. It still exercises the same UPDATE-before-DELETE assertion.

[vgulati-apphelix]

@ktyagiapphelix2u avoid hitting the database twice for the same queryset creation.

Suggested change

	if redact_fields:
	cls.objects.filter(id__in=record_ids).update(**redact_fields)
	cls.objects.filter(id__in=record_ids).delete()
	queryset = cls.objects.filter(id__in=record_ids)
	if redact_fields:
	queryset.update(**redact_fields)
	queryset.delete()

[ktyagiapphelix2u]

Updated

[vgulati-apphelix]

@ktyagiapphelix2u why is this required?

[ktyagiapphelix2u]

I originally added self.request.session = {} as a defensive/default request setup since many Django management-view tests depend on session or message storage indirectly. After checking the actual confirm_email_change flow in management.py, it turns out this path does not use request.session, so the line was unnecessary and I removed it