Round up the privacy feature

codingjoe · codingjoe · commit d3e3f2e42299 · 2022-04-08T09:05:52.000+02:00
diff --git a/docs/index.rst b/docs/index.rst
@@ -10,6 +10,7 @@ All Contents
 
     usage
     templates
+    privacy
     customizing
     settings
     contributing
diff --git a/docs/privacy.rst b/docs/privacy.rst
@@ -0,0 +1,40 @@
+Privacy
+========
+
+Anonymization
+-------------
+
+User privacy is important, not only to meet local regulations, but also to
+protect your users and allow them to exercise their rights. However,
+it's not always practical to delete users, especially if they have dependent
+objects, that are relevant for statistical analysis.
+
+Anonymization is a process of removing the user's personal data whilst keeping
+related data intact. This is done by using the ``anomymize`` method.
+
+
+
+.. automethod:: mailauth.contrib.user.models.AbstractEmailUser.anonymize
+    :noindex:
+
+This method may be overwritten to provide anonymization for you custom user model.
+
+Related objects may also listen to the anonymize signal.
+
+.. autoclass:: mailauth.contrib.user.models.AnonymizeUserSignal
+
+All those methods can be conveniently triggered via the ``anonymize`` admin action.
+
+.. autoclass:: mailauth.contrib.user.admin.AnonymizableAdminMixin
+    :members:
+
+Liability Waiver
+----------------
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -25,6 +25,15 @@ Mail Auth settings
     If ``True``, the same token can only be used once and will be invalid the next try.
     If ``False``, the same token can be used multiple times and remains valid until expired.
 
+.. attribute:: LOGIN_ANONYMOUS_ENABLED
+
+    Default: ``False``
+
+    Uses can be logged in anonymously, if enabled. This is related to the ``email_hash`` field.
+    In that case they user might login without the email address being stored in the database.
+    Since anonymization is meant to remove personal information, this is an odd behavior unless
+    you care about completely anonymous user authentication.
+
 Django related settings
 -----------------------
 
diff --git a/mailauth/contrib/user/admin.py b/mailauth/contrib/user/admin.py
@@ -1,12 +1,45 @@
 from django.contrib import admin
 from django.contrib.auth.models import Group, Permission
+from django.utils.translation import gettext_lazy as _, ngettext
 
 from . import models
 
 
+class AnonymizableAdminMixin:
+    """
+    Mixin for admin classes that provides a `anonymize` action.
+
+    This mixin calls the `anonymize` method of all user model instances.
+    """
+
+    actions = ["anonymize"]
+
+    def anonymize(self, request, queryset):
+        count = queryset.count()
+        for user in queryset.iterator():
+            user.anonymize()
+
+        self.message_user(
+            request,
+            ngettext(
+                "%(count)s %(obj_name)s has successfully been anonymized.",
+                "%(count)s %(obj_name)s have successfully been anonymized.",
+                count,
+            )
+            % {
+                "count": count,
+                "obj_name": self.model._meta.verbose_name_plural
+                if count > 1
+                else self.model._meta.verbose_name,
+            },
+            fail_silently=True,
+        )
+
+    anonymize.short_description = _("Anonymize selected %(verbose_name_plural)s")
+
+
 @admin.register(models.EmailUser)
-class EmailUserAdmin(admin.ModelAdmin):
-    app_label = "asdf"
+class EmailUserAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
     list_display = ("email", "first_name", "last_name", "is_staff")
     list_filter = ("is_staff", "is_superuser", "is_active", "groups")
     search_fields = ("first_name", "last_name", "email")
diff --git a/mailauth/contrib/user/migrations/0005_emailuser_email_hash_alter_emailuser_email.py b/mailauth/contrib/user/migrations/0005_emailuser_email_hash_alter_emailuser_email.py
@@ -26,7 +26,6 @@ class Migration(migrations.Migration):
                 verbose_name="email address",
             ),
         ),
-
         # email_hash field is added as nullable first
         migrations.AddField(
             model_name="emailuser",
diff --git a/mailauth/contrib/user/models.py b/mailauth/contrib/user/models.py
@@ -4,6 +4,7 @@
 from django.contrib.auth.base_user import BaseUserManager
 from django.contrib.auth.models import AbstractUser
 from django.db import models
+from django.dispatch import Signal
 from django.utils.crypto import get_random_string, salted_hmac
 from django.utils.translation import gettext_lazy as _
 
@@ -13,6 +14,22 @@
     from django.db.models import EmailField as CIEmailField
 
 
+AnonymizeUserSignal = Signal()
+"""
+Signal that is emitted when a user and all their data should be anonymized.
+
+Usage::
+
+    from mailauth.contrib.user.models import AnonymizeUserSignal
+
+    @receiver(AnonymizeUserSignal)
+    def anonymize_user(sender, user, **kwargs):
+        # Do something with related user data
+        user.related_model.delete()
+
+"""
+
+
 class EmailUserManager(BaseUserManager):
     use_in_migrations = True
 
@@ -123,6 +140,27 @@ def get_session_auth_hash(self):
             algorithm=algorithm,
         ).hexdigest()
 
+    def anonymize(self, commit=True):
+        """
+        Anonymize the user data for privacy purposes.
+
+        This method will erase the email address, the email hash, the password.
+        You may overwrite this method to add additional fields to anonymize::
+
+            class MyUser(AbstractEmailUser):
+                def anonymize(self, commit=True):
+                    super().anonymize(commit=False) # do not commit yet
+                    self.phone_number = None
+                    if commit:
+                        self.save()
+        """
+        self.email = None
+        self.first_name = ""
+        self.last_name = ""
+        if commit:
+            self.save(update_fields=["email", "first_name", "last_name"])
+        AnonymizeUserSignal.send(sender=self.__class__, user=self)
+
 
 delattr(AbstractEmailUser, "password")
 
diff --git a/mailauth/forms.py b/mailauth/forms.py
@@ -2,6 +2,7 @@
 import urllib
 
 from django import forms
+from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.sites.shortcuts import get_current_site
 from django.core.mail import EmailMultiAlternatives
@@ -105,7 +106,8 @@ def __init__(self, request, *args, **kwargs):
         self.fields[self.field_name] = field
 
     def get_users(self, email=None):
-        if self.field_name == "email" and hasattr(get_user_model(), "email_hash"):
+        anonymous_enabled = getattr(settings, "LOGIN_ANONYMOUS_ENABLED", False)
+        if hasattr(get_user_model(), "email_hash") and anonymous_enabled:
             email_hash = hashlib.md5(email.lower().encode()).hexdigest()
             return get_user_model().objects.filter(email_hash=email_hash).iterator()
 
diff --git a/tests/contrib/auth/test_admin.py b/tests/contrib/auth/test_admin.py
@@ -0,0 +1,50 @@
+from unittest.mock import Mock
+
+import pytest
+from django.contrib import admin, messages
+
+from mailauth.contrib.user.admin import AnonymizableAdminMixin
+from mailauth.contrib.user.models import EmailUser
+
+
+class TestAnonymizableAdminMixin:
+    def test_anonymize__none(self, rf):
+        class MyUserModel(EmailUser):
+            class Meta:
+                app_label = "test"
+                verbose_name = "singular"
+                verbose_name_plural = "plural"
+
+        class MyModelAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
+            pass
+
+        request = rf.get("/")
+        MyModelAdmin(MyUserModel, admin.site).anonymize(
+            request, MyUserModel.objects.none()
+        )
+
+    @pytest.mark.django_db
+    def test_anonymize__one(self, rf, user, monkeypatch):
+        class MyModelAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
+            pass
+
+        monkeypatch.setattr(EmailUser, "anonymize", Mock())
+
+        request = rf.get("/")
+        MyModelAdmin(type(user), admin.site).anonymize(
+            request, type(user).objects.all()
+        )
+        assert EmailUser.anonymize.was_called_once_with(user)
+
+    @pytest.mark.django_db
+    def test_anonymize__many(self, rf, user, monkeypatch):
+        class MyModelAdmin(AnonymizableAdminMixin, admin.ModelAdmin):
+            pass
+
+        monkeypatch.setattr(EmailUser, "anonymize", Mock())
+
+        request = rf.get("/")
+        MyModelAdmin(type(user), admin.site).anonymize(
+            request, type(user).objects.all()
+        )
+        assert EmailUser.anonymize.was_called_once_with(user)
diff --git a/tests/test_models.py b/tests/test_models.py
@@ -20,3 +20,23 @@ def test_email__ci_unique(self, db):
         models.EmailUser.objects.create_user("IronMan@avengers.com")
         with pytest.raises(IntegrityError):
             models.EmailUser.objects.create_user("ironman@avengers.com")
+
+    @pytest.mark.django_db
+    def test_anonymize(self):
+        user = models.EmailUser.objects.create_user(
+            email="ironman@avengers.com", first_name="Tony", last_name="Stark"
+        )
+        user.anonymize()
+        assert not user.first_name
+        assert not user.last_name
+        assert not user.email
+        assert user.email_hash
+
+    def test_anonymize__no_commit(self):
+        user = models.EmailUser(
+            email="ironman@avengers.com", first_name="Tony", last_name="Stark"
+        )
+        user.anonymize(commit=False)
+        assert not user.first_name
+        assert not user.last_name
+        assert not user.email
