boris/keywarden
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

GDPR Compliant erasure requests

Browse Source
This commit is contained in:
George Wilkinson
2026-01-26 13:50:21 +00:00
parent 548681face
commit e693a7616c
6 changed files with 354 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
app/apps/accounts/admin.py
View File

@@ -1,3 +1,58 @@
from django import forms
from django.contrib import admin
#
# No custom models registered in accounts app. The legacy Account model has been removed.
from django.utils import timezone
from unfold.admin import ModelAdmin
from .models import ErasureRequest
class ErasureRequestAdminForm(forms.ModelForm):
class Meta:
model = ErasureRequest
fields = "__all__"
def clean(self):
cleaned = super().clean()
status = cleaned.get("status")
decision_reason = (cleaned.get("decision_reason") or "").strip()
if status in {ErasureRequest.Status.DENIED, ErasureRequest.Status.PROCESSED} and not decision_reason:
raise forms.ValidationError("Decision reason is required for denied or processed requests.")
return cleaned
@admin.register(ErasureRequest)
class ErasureRequestAdmin(ModelAdmin):
form = ErasureRequestAdminForm
list_display = ("id", "user", "status", "requested_at", "decided_at", "processed_at")
list_filter = ("status", "requested_at", "processed_at")
search_fields = ("user__username", "user__email")
readonly_fields = ("requested_at", "decided_at", "processed_at", "decided_by", "processed_by")
fieldsets = (
(
"Request",
{
"fields": ("user", "reason", "status", "requested_at"),
},
),
(
"Decision",
{
"fields": ("decision_reason", "decided_by", "decided_at"),
},
),
(
"Processing",
{
"fields": ("processed_by", "processed_at"),
},
),
)
def save_model(self, request, obj, form, change) -> None:
if obj.status == ErasureRequest.Status.PROCESSED:
obj.process(request.user, decision_reason=obj.decision_reason)
return
if obj.status == ErasureRequest.Status.DENIED and not obj.decided_at:
obj.decided_at = timezone.now()
obj.decided_by = request.user
super().save_model(request, obj, form, change)

16
app/apps/accounts/forms.py
View File

@@ -0,0 +1,16 @@
from django import forms
class ErasureRequestForm(forms.Form):
reason = forms.CharField(
label="Reason for erasure request",
widget=forms.Textarea(
attrs={
"rows": 4,
"placeholder": "Explain why you are requesting data erasure.",
"class": "w-full rounded-md border border-gray-300 bg-white px-3 py-2 text-sm text-gray-900 shadow-sm focus:border-purple-600 focus:outline-none focus:ring-1 focus:ring-purple-600",
}
),
min_length=10,
max_length=2000,
)

75
app/apps/accounts/migrations/0006_erasure_request.py Normal file
View File

@@ -0,0 +1,75 @@
from django.conf import settings
from django.db import migrations, models
import django.db.models.deletion
import django.utils.timezone
class Migration(migrations.Migration):
dependencies = [
("accounts", "0005_unique_user_email_index"),
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
]
operations = [
migrations.CreateModel(
name="ErasureRequest",
fields=[
("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
("reason", models.TextField()),
(
"status",
models.CharField(
choices=[("pending", "Pending"), ("denied", "Denied"), ("processed", "Processed")],
db_index=True,
default="pending",
max_length=16,
),
),
("requested_at", models.DateTimeField(default=django.utils.timezone.now, editable=False)),
("decided_at", models.DateTimeField(blank=True, null=True)),
("decision_reason", models.TextField(blank=True)),
("processed_at", models.DateTimeField(blank=True, null=True)),
(
"decided_by",
models.ForeignKey(
blank=True,
null=True,
on_delete=django.db.models.deletion.SET_NULL,
related_name="erasure_decisions",
to=settings.AUTH_USER_MODEL,
),
),
(
"processed_by",
models.ForeignKey(
blank=True,
null=True,
on_delete=django.db.models.deletion.SET_NULL,
related_name="erasure_processes",
to=settings.AUTH_USER_MODEL,
),
),
(
"user",
models.ForeignKey(
on_delete=django.db.models.deletion.CASCADE,
related_name="erasure_requests",
to=settings.AUTH_USER_MODEL,
),
),
],
options={
"verbose_name": "Erasure request",
"verbose_name_plural": "Erasure requests",
"ordering": ["-requested_at"],
},
),
migrations.AddIndex(
model_name="erasurerequest",
index=models.Index(fields=["status", "requested_at"], name="accounts_erasure_status_idx"),
),
migrations.AddIndex(
model_name="erasurerequest",
index=models.Index(fields=["user", "status"], name="accounts_erasure_user_status_idx"),
),
]

128
app/apps/accounts/models.py
View File

@@ -1,3 +1,125 @@
from django.db import models
#
# Legacy Account model has been removed. This app now contains URLs/views only.
from __future__ import annotations
import uuid
from django.conf import settings
from django.db import models, transaction
from django.utils import timezone
class ErasureRequest(models.Model):
class Status(models.TextChoices):
PENDING = "pending", "Pending"
DENIED = "denied", "Denied"
PROCESSED = "processed", "Processed"
user = models.ForeignKey(
settings.AUTH_USER_MODEL,
on_delete=models.CASCADE,
related_name="erasure_requests",
)
reason = models.TextField()
status = models.CharField(max_length=16, choices=Status.choices, default=Status.PENDING, db_index=True)
requested_at = models.DateTimeField(default=timezone.now, editable=False)
decided_at = models.DateTimeField(null=True, blank=True)
decided_by = models.ForeignKey(
settings.AUTH_USER_MODEL,
null=True,
blank=True,
on_delete=models.SET_NULL,
related_name="erasure_decisions",
)
decision_reason = models.TextField(blank=True)
processed_at = models.DateTimeField(null=True, blank=True)
processed_by = models.ForeignKey(
settings.AUTH_USER_MODEL,
null=True,
blank=True,
on_delete=models.SET_NULL,
related_name="erasure_processes",
)
class Meta:
verbose_name = "Erasure request"
verbose_name_plural = "Erasure requests"
ordering = ["-requested_at"]
indexes = [
models.Index(fields=["status", "requested_at"], name="accounts_erasure_status_idx"),
models.Index(fields=["user", "status"], name="accounts_erasure_user_status_idx"),
]
def __str__(self) -> str:
return f"Erasure request #{self.id} ({self.user_id})"
def process(self, admin_user, decision_reason: str = "") -> None:
if self.status == self.Status.PROCESSED:
return
now = timezone.now()
with transaction.atomic():
self._anonymize_user(admin_user, now)
self.status = self.Status.PROCESSED
self.decided_at = now
self.decided_by = admin_user
self.decision_reason = (decision_reason or "").strip()
self.processed_at = now
self.processed_by = admin_user
self.save(
update_fields=[
"status",
"decided_at",
"decided_by",
"decision_reason",
"processed_at",
"processed_by",
]
)
def _anonymize_user(self, admin_user, now) -> None:
from guardian.models import UserObjectPermission
from apps.access.models import AccessRequest
from apps.keys.models import SSHKey
user = self.user
token = uuid.uuid4().hex
anonymous_username = f"erased-{token}"
anonymous_email = f"{anonymous_username}@erased.local"
user.username = anonymous_username
user.email = anonymous_email
user.first_name = ""
user.last_name = ""
user.is_active = False
user.is_staff = False
user.is_superuser = False
user.last_login = None
user.set_unusable_password()
user.save(
update_fields=[
"username",
"email",
"first_name",
"last_name",
"is_active",
"is_staff",
"is_superuser",
"last_login",
"password",
]
)
user.groups.clear()
user.user_permissions.clear()
UserObjectPermission.objects.filter(user=user).delete()
SSHKey.objects.filter(user=user, is_active=True).update(is_active=False, revoked_at=now)
AccessRequest.objects.filter(requester=user).update(reason="[redacted]")
AccessRequest.objects.filter(
requester=user,
status__in=[AccessRequest.Status.PENDING, AccessRequest.Status.APPROVED],
).update(
status=AccessRequest.Status.REVOKED,
decided_at=now,
decided_by=admin_user,
expires_at=now,
)

57
app/apps/accounts/templates/accounts/profile.html
View File

@@ -45,5 +45,60 @@
</div>
</div>
</div>
{% endblock %}
<div class="mt-6 rounded-xl border border-gray-200 bg-white p-6 shadow-sm sm:p-8">
<h2 class="text-base font-semibold tracking-tight text-gray-900">Data erasure request</h2>
<p class="mt-2 text-sm text-gray-600">
Submit a GDPR erasure request to anonymize your account data. An administrator
must review and approve the request before processing.
</p>
{% if erasure_request %}
<div class="mt-4 rounded-lg border border-gray-200 bg-gray-50 p-4 text-sm text-gray-700">
<div class="flex flex-wrap items-center gap-2">
<span class="font-semibold">Status:</span>
<span class="inline-flex items-center rounded-full bg-gray-200 px-2.5 py-1 text-xs font-semibold text-gray-700">
{{ erasure_request.status|capfirst }}
</span>
<span class="text-gray-500">Requested {{ erasure_request.requested_at|date:"M j, Y H:i" }}</span>
</div>
{% if erasure_request.decided_at %}
<p class="mt-2 text-gray-600">
Decision {{ erasure_request.decided_at|date:"M j, Y H:i" }}.
{% if erasure_request.decision_reason %}
Reason: {{ erasure_request.decision_reason }}
{% endif %}
</p>
{% endif %}
{% if erasure_request.status == "processed" %}
<p class="mt-2 text-gray-600">
Your account has been anonymized. Access has been revoked and SSH keys disabled.
</p>
{% endif %}
</div>
{% endif %}
{% if not erasure_request or erasure_request.status != "pending" %}
<form method="post" class="mt-4 space-y-3">
{% csrf_token %}
<div>
<label for="{{ erasure_form.reason.id_for_label }}" class="block text-sm font-medium text-gray-700">
Reason for request
</label>
<div class="mt-1">
{{ erasure_form.reason }}
</div>
{% if erasure_form.reason.errors %}
<p class="mt-1 text-sm text-red-600">{{ erasure_form.reason.errors|striptags }}</p>
{% endif %}
</div>
{% if erasure_form.non_field_errors %}
<p class="text-sm text-red-600">{{ erasure_form.non_field_errors|striptags }}</p>
{% endif %}
<button type="submit" class="inline-flex items-center rounded-md bg-purple-600 px-4 py-2 text-sm font-semibold text-white shadow hover:bg-purple-700 focus:outline-none focus-visible:ring-2 focus-visible:ring-purple-600">
Submit erasure request
</button>
</form>
{% endif %}
</div>
{% endblock %}

30
app/apps/accounts/views.py
View File

@@ -1,16 +1,37 @@
from django.contrib.auth.decorators import login_required
from django.shortcuts import render
from django.conf import settings
from django.shortcuts import redirect
from django.contrib.auth import views as auth_views
from django.contrib.auth import logout
from django.contrib.auth import views as auth_views
from django.contrib.auth.decorators import login_required
from django.shortcuts import redirect, render
from .forms import ErasureRequestForm
from .models import ErasureRequest
@login_required(login_url="/accounts/login/")
def profile(request):
erasure_request = (
ErasureRequest.objects.filter(user=request.user).order_by("-requested_at").first()
)
if request.method == "POST":
form = ErasureRequestForm(request.POST)
if form.is_valid():
if erasure_request and erasure_request.status == ErasureRequest.Status.PENDING:
form.add_error(None, "You already have a pending erasure request.")
else:
ErasureRequest.objects.create(
user=request.user,
reason=form.cleaned_data["reason"].strip(),
)
return redirect("accounts:profile")
else:
form = ErasureRequestForm()
context = {
"user": request.user,
"auth_mode": getattr(settings, "KEYWARDEN_AUTH_MODE", "hybrid"),
"erasure_request": erasure_request,
"erasure_form": form,
}
return render(request, "accounts/profile.html", context)
@@ -26,4 +47,3 @@ def login_view(request):
def logout_view(request):
logout(request)
return redirect(getattr(settings, "LOGOUT_REDIRECT_URL", "/"))