fix: redact pending primary email before retirement delete#38385
Open
ktyagiapphelix2u wants to merge 2 commits intoopenedx:masterfrom
Open
fix: redact pending primary email before retirement delete#38385ktyagiapphelix2u wants to merge 2 commits intoopenedx:masterfrom
ktyagiapphelix2u wants to merge 2 commits intoopenedx:masterfrom
Conversation
robrap
reviewed
Apr 21, 2026
Contributor
robrap
left a comment
robrap
left a comment
There was a problem hiding this comment.
Thanks @ktyagiapphelix2u.
| if not records_matching_user_value.exists(): | ||
| return False | ||
| for record in records_matching_user_value: | ||
| record.new_email = get_retired_email_by_email(record.new_email) |
Contributor
There was a problem hiding this comment.
Did we discuss get_retired_email_by_email on another PR already? Where is that comment?
| return False | ||
| for record in records_matching_user_value: | ||
| record.new_email = get_retired_email_by_email(record.new_email) | ||
| record.activation_key = uuid.uuid4().hex |
| # Retire misc. models that may contain PII of this user. | ||
| # Redact pending primary email fields before delete because | ||
| # downstream replication can preserve soft-deleted snapshots. | ||
| PendingEmailChange.redact_pending_email_by_user_value(user, field="user") |
Contributor
There was a problem hiding this comment.
Based on delete_by_user_value, it seems like redact_by_user_value would be a more consistent name.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This change resolves a privacy gap in the retirement flow for users with a pending primary email change. It ensures sensitive fields are redacted before deletion so no readable data persists after retirement.
Problem
When a user retires while having an active record in
student_pendingemailchange, the record is deleted as part of the retirement process. However, due to downstream soft-delete behavior, the deleted record may still persist with sensitive fields (such as pending email and activation key) in a readable form.Root Cause
The retirement flow was directly deleting
PendingEmailChangerecords without redacting sensitive fields beforehand.What Changed
PendingEmailChangebefore deletionBehavior Before
Behavior After
Ticket & Reference
https://2u-internal.atlassian.net/browse/BOMS-499