Skip to content

Commit

Permalink
add auditlog entry on gdpr-api user deletion
Browse files Browse the repository at this point in the history
  • Loading branch information
henrinie-nc committed Nov 21, 2024
1 parent 9eed33d commit a7b5373
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 1 deletion.
21 changes: 20 additions & 1 deletion gdpr/tests/test_gdpr_views.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import pytest
from auditlog.models import LogEntry
from helusers.authz import UserAuthorization
from rest_framework import status
from rest_framework.test import APIRequestFactory, force_authenticate
Expand Down Expand Up @@ -112,6 +113,7 @@ def test_api_delete_user_data(
}

user = user_factory(first_name="Etunimi", last_name="Sukunimi")
user_id = user.id
areasearch = area_search_factory(user=user, description_area="Test")
apirequest_factory = APIRequestFactory()
request = apirequest_factory.delete(f"/v1/pub/gdpr-api/v1/profiles/{user.uuid}")
Expand All @@ -126,9 +128,18 @@ def test_api_delete_user_data(

response = MvjGDPRAPIView.as_view()(request, uuid=user.uuid)

# Expect deletion to be successful
# Expect deletion request to be successful.
assert response.status_code == status.HTTP_204_NO_CONTENT

# Ensure that auditlog entry has been created.
assert (
LogEntry.objects.get_for_model(user._meta.model)
.filter(object_id=user_id, changes="GDPR API: User data deleted.")
.exists()
is True
)

# Check that user instance is deleted.
with pytest.raises(user.DoesNotExist):
user.refresh_from_db()

Expand Down Expand Up @@ -171,3 +182,11 @@ def test_api_delete_user_data_not_possible(
# Deletion of the user object is therefore not possible.
assert response.status_code == status.HTTP_403_FORBIDDEN
assert information_check.preparer == user

# Ensure that auditlog entry has _not_ been created.
assert (
LogEntry.objects.get_for_object(user)
.filter(changes="GDPR API: User data deleted.")
.exists()
is False
)
16 changes: 16 additions & 0 deletions gdpr/utils.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
from auditlog.models import LogEntry
from django.contrib.contenttypes.models import ContentType
from helsinki_gdpr.views import DryRunException

from users.models import User
Expand All @@ -19,4 +21,18 @@ def delete_user_data(user: User, dry_run: bool) -> None:
if dry_run:
raise DryRunException("Dry run. Rollback delete transaction.")
else:
user_id = user.id
user.delete()
content_type = ContentType.objects.get_for_model(User)
# Create Augitlog entry for deletion of user instance. Store only
# the object id, ensuring we do not store the personal data that was deleted.
LogEntry.objects.create(
content_type=content_type,
object_pk=str(user_id),
object_id=user_id,
object_repr=str(user_id),
action=LogEntry.Action.DELETE,
actor=None,
changes="GDPR API: User data deleted.",
remote_addr=None,
)

0 comments on commit a7b5373

Please sign in to comment.