PROD-2700 Implement Soft Delete for PrivacyRequests

[erosselli]

Closes PROD-2700

Description Of Changes

Adds support for soft deleting PrivacyRequests. The deletion is defined by the new column deleted_at, and we also stored who deleted it in the deleted_by column. A new DELETE /privacy-request/id endpoint is added in order to allow soft deleting requests, as well as an endpoint to bulk delete multiple requests at the same time POST /privacy-request/bulk/delete.

Code Changes

• Added columns deleted_at and deleted_by to PrivacyRequest , both nullable
• Added a new endpoint to allow soft deleting privacy requests, DELETE /privacy-request/id and for bulk deleting them POST /privacy-request/bulk/delete
• Added a new optional param to the existing search / list privacy requests endpoints, include_deleted_requests, that is False by default
• Added validation to the existing privacy request endpoints that modify privacy request data, to throw a 422 error when attempting to update any data related to a deleted privacy request

Steps to Confirm

• Run the admin UI and the privacy center (or alternatively, just run the entire test project)
• Create four different privacy requests, each with a different email, by clicking the "Access my data" blob of the privacy center
• If you go to the Admin UI, you should see all privacy requests
• Open SwaggerUI (or your Postman collection if you prefer) and call the DELETE endpoint with the id of one of the privacy requests
• Next, use the bulk delete endpoint to delete two other requests
• Go back to Admin UI -- you should now see only one privacy request, the one that hasn't been deleted

Error cases

Trying to do anything that modifies the deleted privacy request should cause a 422 error. Some examples:

• approving the request
• deleting the request
• restarting the request

Pre-Merge Checklist

• All CI Pipelines Succeeded
• Documentation:
  • documentation complete, PR opened in fidesdocs
  • documentation issue created in fidesdocs
  • if there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
• Issue Requirements are Met
• Relevant Follow-Up Issues Created
• Update CHANGELOG.md
• For API changes, the Postman collection has been updated
• If there are any database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
fides-plus-nightly	⬜️ Ignored (Inspect)	Visit Preview		Sep 24, 2024 2:50pm

[erosselli]

note to self: remember to update before merging

[erosselli]

If the privacy request is deleted, we error by default, unless the error_if_deleted argument is set to False

[erosselli]

same here, by default we will filter out deleted requests, unless explicitly included

[erosselli]

I allow get operations on the deleted privacy request , but not update ones. TBH there weren't any specific requirements regarding this on the ticket, so I used my best judgement. Any feedback / opinions are welcome

[pattisdr]

This is a great thing to run by Michael early on! There's a case to be made either way.

Maybe I would strive for consistency here:get_request_status_logs, view_uploaded_manual_webhook_data, view_uploaded_erasure_manual_webhook_data, and get_individual_privacy_request_tasks return very specific details about potentially deleted privacy requests by default.

But the search endpoint which is the place to get primary privacy request details does not return deleted privacy requests by default. This latter detail tips me towards wanting to hide everything by default or add query params to the GET ones so the default is "don't show" instead of "show"

[erosselli]

the question is because the "real" delete method (defined right above) does the following:

        cache: FidesopsRedis = get_cache()
        all_keys = get_all_cache_keys_for_privacy_request(privacy_request_id=self.id)
        for key in all_keys:
            cache.delete(key)
        for provided_identity in self.provided_identities:  # type: ignore[attr-defined]
            provided_identity.delete(db=db)

[pattisdr]

great question, I wouldn't yet since you're still allowing these privacy requests to come up in search with certain query params.

[erosselli]

again, there were no specfic requirements here, but I think it makes sense not to send emails for deleted requests

[pattisdr]

smart

[erosselli]

same here, I didn't think it made sense to run an access request for a deleted privacy reqyest

[erosselli]

Un related to this PR, see #5301 . I've skipped it just so that this file would run on the CI. I can remove the skip before merging

[cypress]

fides    Run #10085

Run Properties:   Passed #10085  •  306a46123a ℹ️: Merge f465edfc8ebf12d0c2fe4fd18c4ce7d9cfff9c39 into 0a0ea4f400ca6d1e10ad3b154f90...

Project	fides
Branch Review	refs/pull/5321/merge
Run status	Passed #10085
Run duration	00m 38s
Commit	306a46123a ℹ️: Merge f465edfc8ebf12d0c2fe4fd18c4ce7d9cfff9c39 into 0a0ea4f400ca6d1e10ad3b154f90...
Committer	erosselli
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	0
Pending	0
Skipped	0
Passing	4
⚠️ You've recorded test results over your free plan limit. Upgrade your plan to view test results.
View all changes introduced in this branch ↗︎

[erosselli]

Just wanted to call out that I tried to filter out the deleted requests from the places where it made sense, but also I don't know if I found all the places where we get a list of privacy requests. Wanted to point it out to get some extra eyes around that if possible

[pattisdr]

starting review -

[pattisdr]

This looks pretty good but let's step back for a second and clarify with product about expected behavior around "soft deletes". What should be able to be retrieved about a privacy request once it has been soft deleted?

[pattisdr]

Since this isn't a hard DELETE and it shows up under GET requests, I'd consider a different http method, maybe patch?

[pattisdr]

This isn't that dangerous of an operation, adding a nullable FK, but it could prevent privacy requests from being written while the table is being scanned? So that might be something we need to call out. If we're concerned about it, we could also add the constraint as not valid, and then validate the constraint in the other. The privacy request table can be large https://squawkhq.com/docs/adding-foreign-key-constraint/

Alternatively, we might consider removing the FK constraint. This has an added benefit that we can track if the root user made the change, which is not technically a real user. This would be similar to AuditLog.user_id instead

[erosselli]

ah that's a good idea I think, it may be overkill to have the FK constraint anyways -- I was following what was done for the approved_by column (I think), but it could be argued that this is a different use case anyways

[pattisdr]

While it's nice to get to re-use the BulkPostPrivacyRequests schema, since the single delete API endpoint returns a 204, this feels a little jarring to return the whole object.

Perhaps we create a new schema, where the "succeeded" list has just the privacy request id, deleted_at, and deleted_by? or similar

[pattisdr]

great question, I wouldn't yet since you're still allowing these privacy requests to come up in search with certain query params.

[pattisdr]

maybe patch here as well? what do you think?

[pattisdr]

This is a great thing to run by Michael early on! There's a case to be made either way.

Maybe I would strive for consistency here:get_request_status_logs, view_uploaded_manual_webhook_data, view_uploaded_erasure_manual_webhook_data, and get_individual_privacy_request_tasks return very specific details about potentially deleted privacy requests by default.

But the search endpoint which is the place to get primary privacy request details does not return deleted privacy requests by default. This latter detail tips me towards wanting to hide everything by default or add query params to the GET ones so the default is "don't show" instead of "show"

[pattisdr]

smart