Add anonymization feature for private user data

Author: codingjoe

docs/index.rst

@@ -10,6 +10,7 @@ All Contents
 
  usage
  templates
+ privacy
  customizing
  settings
  contributing

docs/privacy.rst

@@ -0,0 +1,40 @@
+Privacy
+========
+
+Anonymization
+-------------
+
+User privacy is important, not only to meet local regulations, but also to
+protect your users and allow them to exercise their rights. However,
+it's not always practical to delete users, especially if they have dependent
+objects, that are relevant for statistical analysis.
+
+Anonymization is a process of removing the user's personal data whilst keeping
+related data intact. This is done by using the ``anomymize`` method.
+
+
+
+.. automethod:: mailauth.contrib.user.models.AbstractEmailUser.anonymize
+ :noindex:
+
+This method may be overwritten to provide anonymization for you custom user model.
+
+Related objects may also listen to the anonymize signal.
+
+.. autoclass:: mailauth.contrib.user.models.AnonymizeUserSignal
+
+All those methods can be conveniently triggered via the ``anonymize`` admin action.
+
+.. autoclass:: mailauth.contrib.user.admin.AnonymizableAdminMixin
+ :members:
+
+Liability Waiver
+----------------
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

mailauth/contrib/user/admin.py

@@ -1,12 +1,51 @@
 from django.contrib import admin
+from django.contrib.auth import get_permission_codename
 from django.contrib.auth.models import Group, Permission
+from django.utils.translation import gettext_lazy as _, ngettext
 
 from . import models
 
 
+class AnonymizableAdminMixin:
+ """
+ Mixin for admin classes that provides a `anonymize` action.
+
+ This mixin calls the `anonymize` method of all user model instances.
+ """
+
+ actions = ["anonymize"]
+
+ @admin.action(
+ permissions=["anonymize"],
+ description=_("Anonymize selected %(verbose_name_plural)s"),
+ )
+ def anonymize(self, request, queryset):
+ count = queryset.count()
+ for user in queryset.iterator():
+ user.anonymize()
+
+ self.message_user(
+ request,
+ ngettext(
+ "%(count)s %(obj_name)s has successfully been anonymized.",
+ "%(count)s %(obj_name)s have successfully been anonymized.",
+ count,
+ )
+ % {
+ "count": count,
+ "obj_name": self.model._meta.verbose_name_plural
+ if count > 1
+ else self.model._meta.verbose_name,
+ },
+ fail_silently=True,
+ )
+
+ def has_anonymize_permission(self, request, obj=None):
+ return request.user.has_perm(f"{self.opts.app_label}.anonymize", obj=obj)
+
+
 @admin.register(models.EmailUser)
-class EmailUserAdmin(admin.ModelAdmin):
- app_label = "asdf"
+class EmailUserAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
  list_display = ("email", "first_name", "last_name", "is_staff")
  list_filter = ("is_staff", "is_superuser", "is_active", "groups")
  search_fields = ("first_name", "last_name", "email")

mailauth/contrib/user/migrations/0005_emailuser_email_hash_alter_emailuser_email.py

@@ -0,0 +1,38 @@
+from django.db import migrations, models
+
+try:
+ from django.contrib.postgres.fields import CIEmailField
+except ImportError:
+ CIEmailField = models.EmailField
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ("mailauth_user", "0004_auto_20200812_0722"),
+ ]
+
+ operations = [
+ # add new permissions
+ migrations.AlterModelOptions(
+ name="emailuser",
+ options={
+ "permissions": [("anonymize", "Can anonymize user")],
+ "verbose_name": "user",
+ "verbose_name_plural": "users",
+ },
+ ),
+ # email is now nullable, since it's no longer required for authentication
+ migrations.AlterField(
+ model_name="emailuser",
+ name="email",
+ field=CIEmailField(
+ blank=True,
+ db_index=True,
+ max_length=254,
+ null=True,
+ unique=True,
+ verbose_name="email address",
+ ),
+ ),
+ ]

mailauth/contrib/user/models.py

@@ -1,7 +1,10 @@
+import hashlib
+
 from django.conf import settings
 from django.contrib.auth.base_user import BaseUserManager
 from django.contrib.auth.models import AbstractUser
 from django.db import models
+from django.dispatch import Signal
 from django.utils.crypto import get_random_string, salted_hmac
 from django.utils.translation import gettext_lazy as _
 
@@ -11,6 +14,22 @@
  from django.db.models import EmailField as CIEmailField
 
 
+AnonymizeUserSignal = Signal()
+"""
+Signal that is emitted when a user and all their data should be anonymized.
+
+Usage::
+
+ from mailauth.contrib.user.models import AnonymizeUserSignal
+
+ @receiver(AnonymizeUserSignal)
+ def anonymize_user(sender, user, **kwargs):
+ # Do something with related user data
+ user.related_model.delete()
+
+"""
+
+
 class EmailUserManager(BaseUserManager):
  use_in_migrations = True
 
@@ -50,7 +69,9 @@ class AbstractEmailUser(AbstractUser):
  username = None
  password = None
 
- email = CIEmailField(_("email address"), unique=True, db_index=True)
+ email = CIEmailField(
+ _("email address"), blank=True, null=True, unique=True, db_index=True
+ )
  """Unique and case insensitive to serve as a better username."""
 
  session_salt = models.CharField(
@@ -67,6 +88,9 @@ def has_usable_password(self):
 
  class Meta(AbstractUser.Meta):
  abstract = True
+ permissions = [
+ ("anonymize", "Can anonymize user"),
+ ]
 
  def _legacy_get_session_auth_hash(self):
  # RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
@@ -92,6 +116,27 @@ def get_session_auth_hash(self):
  algorithm=algorithm,
  ).hexdigest()
 
+ def anonymize(self, commit=True):
+ """
+ Anonymize the user data for privacy purposes.
+
+ This method will erase the email address, the email hash, the password.
+ You may overwrite this method to add additional fields to anonymize::
+
+ class MyUser(AbstractEmailUser):
+ def anonymize(self, commit=True):
+ super().anonymize(commit=False) # do not commit yet
+ self.phone_number = None
+ if commit:
+ self.save()
+ """
+ self.email = None
+ self.first_name = ""
+ self.last_name = ""
+ if commit:
+ self.save(update_fields=["email", "first_name", "last_name"])
+ AnonymizeUserSignal.send(sender=self.__class__, user=self)
+
 
 delattr(AbstractEmailUser, "password")
 

mailauth/forms.py

@@ -1,6 +1,8 @@
+import hashlib
 import urllib
 
 from django import forms
+from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.sites.shortcuts import get_current_site
 from django.core.mail import EmailMultiAlternatives

tests/contrib/auth/test_admin.py

@@ -0,0 +1,72 @@
+from unittest.mock import Mock
+
+import pytest
+from django.contrib import admin
+from django.contrib.auth.models import Permission
+from django.urls import reverse
+
+from mailauth.contrib.user.admin import AnonymizableAdminMixin
+from mailauth.contrib.user.models import EmailUser
+
+
+class TestAnonymizableAdminMixin:
+ def test_anonymize__none(self, rf):
+ class MyUserModel(EmailUser):
+ class Meta:
+ app_label = "test"
+ verbose_name = "singular"
+ verbose_name_plural = "plural"
+
+ class MyModelAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
+ pass
+
+ request = rf.get("/")
+ MyModelAdmin(MyUserModel, admin.site).anonymize(
+ request, MyUserModel.objects.none()
+ )
+
+ @pytest.mark.django_db
+ def test_anonymize__one(self, rf, user, monkeypatch):
+ class MyModelAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
+ pass
+
+ monkeypatch.setattr(EmailUser, "anonymize", Mock())
+
+ request = rf.get("/")
+ MyModelAdmin(type(user), admin.site).anonymize(
+ request, type(user).objects.all()
+ )
+ assert EmailUser.anonymize.was_called_once_with(user)
+
+ @pytest.mark.django_db
+ def test_anonymize__many(self, rf, user, monkeypatch):
+ class MyModelAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
+ pass
+
+ monkeypatch.setattr(EmailUser, "anonymize", Mock())
+
+ request = rf.get("/")
+ MyModelAdmin(type(user), admin.site).anonymize(
+ request, type(user).objects.all()
+ )
+ assert EmailUser.anonymize.was_called_once_with(user)
+
+ def test_has_anonymize_permission(self, rf, user):
+ class MyModelAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
+ pass
+
+ user.is_staff = True
+ user.save()
+ request = rf.get("/")
+ request.user = user
+ assert not MyModelAdmin(type(user), admin.site).has_anonymize_permission(
+ request
+ )
+
+ permission = Permission.objects.get(
+ codename="anonymize",
+ )
+ user.user_permissions.add(permission)
+ del user._perm_cache
+ del user._user_perm_cache
+ assert MyModelAdmin(type(user), admin.site).has_anonymize_permission(request)

tests/test_models.py

@@ -20,3 +20,22 @@ def test_email__ci_unique(self, db):
  models.EmailUser.objects.create_user("IronMan@avengers.com")
  with pytest.raises(IntegrityError):
  models.EmailUser.objects.create_user("ironman@avengers.com")
+
+ @pytest.mark.django_db
+ def test_anonymize(self):
+ user = models.EmailUser.objects.create_user(
+ email="ironman@avengers.com", first_name="Tony", last_name="Stark"
+ )
+ user.anonymize()
+ assert not user.first_name
+ assert not user.last_name
+ assert not user.email
+
+ def test_anonymize__no_commit(self):
+ user = models.EmailUser(
+ email="ironman@avengers.com", first_name="Tony", last_name="Stark"
+ )
+ user.anonymize(commit=False)
+ assert not user.first_name
+ assert not user.last_name
+ assert not user.email