Skip to content

[FC-0099] feat: add handler to remove roles when user is retired#110

Merged
mariajgrimaldi merged 20 commits intomainfrom
MJG/user-retirement
Nov 14, 2025
Merged

[FC-0099] feat: add handler to remove roles when user is retired#110
mariajgrimaldi merged 20 commits intomainfrom
MJG/user-retirement

Conversation

@mariajgrimaldi
Copy link
Copy Markdown
Member

@mariajgrimaldi mariajgrimaldi commented Oct 22, 2025
edited
Loading

Description

This PR adds a handler fired when a user is retired to unassign the current roles available in the casbin table, after this operation, all roles are revoked.

How To Test

There are a few integration tests to ensure that when the signal USER_RETIRE_LMS_CRITICAL is sent then roles for the user are revoked. Also, you can test this in a local environment by:

(the retirement of a user is kind of annoying to reproduce, hold on tight)

Merge checklist:
Check off if complete or not applicable:

  • Version bumped
  • Changelog record added
  • Documentation updated (not only docstrings)
  • Fixup commits are squashed away
  • Unit tests added/updated
  • Manual testing instructions provided
  • Noted any: Concerns, dependencies, migration issues, deadlines, tickets

@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Oct 22, 2025
@openedx-webhooks
Copy link
Copy Markdown

openedx-webhooks commented Oct 22, 2025
edited
Loading

Thanks for the pull request, @mariajgrimaldi!

This repository is currently maintained by @openedx/committers-openedx-authz.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@github-project-automation github-project-automation Bot moved this to Needs Triage in Contributions Oct 22, 2025
@mariajgrimaldi mariajgrimaldi moved this to In Progress in RBAC AuthZ Board Oct 22, 2025
@mariajgrimaldi mariajgrimaldi changed the title feat: add handler to remove roles when user is retired [FC-0099] feat: add handler to remove roles when user is retired Oct 22, 2025
bmtcril
bmtcril reviewed Oct 22, 2025
View reviewed changes
Comment thread openedx_authz/api/roles.py Outdated
@mphilbrick211 mphilbrick211 added the FC Relates to an Axim Funded Contribution project label Oct 22, 2025
@mphilbrick211 mphilbrick211 moved this from Needs Triage to Waiting on Author in Contributions Oct 22, 2025
@mariajgrimaldi mariajgrimaldi force-pushed the MJG/consistency-mechanism branch from 162adf0 to a11ae03 Compare October 23, 2025 14:21
@mariajgrimaldi mariajgrimaldi mentioned this pull request Oct 24, 2025
Merged
@mariajgrimaldi mariajgrimaldi force-pushed the MJG/consistency-mechanism branch from 1ad96dd to 92bfa4f Compare October 24, 2025 11:20
mariajgrimaldi
mariajgrimaldi commented Oct 24, 2025
View reviewed changes
Comment thread openedx_authz/api/roles.py Outdated
Comment on lines +405 to +406
enforcer = AuthzEnforcer.get_enforcer()
enforcer.load_policy()
Copy link
Copy Markdown
Member Author

@mariajgrimaldi mariajgrimaldi Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to drop this.

Copy link
Copy Markdown
Contributor

@rodmgwgu rodmgwgu Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious, why do you need to drop this? is this for performance so we don't load the policy on every call?

@mariajgrimaldi mariajgrimaldi marked this pull request as ready for review October 24, 2025 16:21
@mariajgrimaldi
Copy link
Copy Markdown
Member Author

mariajgrimaldi commented Oct 24, 2025

I'll be working on fixing the failing tests :)

bmtcril
bmtcril approved these changes Oct 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@bmtcril bmtcril left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me once the tests are sorted, thanks for taking care of this!

rodmgwgu
rodmgwgu approved these changes Oct 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@rodmgwgu rodmgwgu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking great! I'm learning a lot by reading your code, thanks!

@mariajgrimaldi mariajgrimaldi moved this from In Progress to Ready for review in RBAC AuthZ Board Oct 29, 2025
@mariajgrimaldi
Copy link
Copy Markdown
Member Author

mariajgrimaldi commented Nov 4, 2025

This PR depends on #100 so this is blocked until it's resolved! Thanks :)

@mariajgrimaldi mariajgrimaldi force-pushed the MJG/consistency-mechanism branch from 480ae17 to 8331ed6 Compare November 4, 2025 14:09
@mphilbrick211 mphilbrick211 moved this from Waiting on Author to Blocked in Contributions Nov 4, 2025
@mariajgrimaldi mariajgrimaldi self-assigned this Nov 5, 2025
@BryanttV
Copy link
Copy Markdown
Contributor

BryanttV commented Nov 14, 2025

@mariajgrimaldi, the PR looks very good, thanks!

However, I tried to test it in my local environment by removing a user, and the roles were not deleted.

I tried to retire the user in the following two ways:

  • LMS > Account > Delete My Account
  • Using the retire_user command.

Neither worked for me. Am I forgetting something?

@bmtcril
Copy link
Copy Markdown
Contributor

bmtcril commented Nov 14, 2025

@mariajgrimaldi, the PR looks very good, thanks!

However, I tried to test it in my local environment by removing a user, and the roles were not deleted.

I tried to retire the user in the following two ways:

  • LMS > Account > Delete My Account
  • Using the retire_user command.

Neither worked for me. Am I forgetting something?

Both of those methods move the user into the retirement queue, but unless you're actually running the pipeline the user won't be retired. You can use the retirement tutor plugin with RETIREMENT_COOL_OFF_DAYS days set to 0 or get a Django shell and manually fire off the USER_RETIRE_LMS_CRITICAL from openedx.core.djangoapps.user_api.accounts.signals to trigger the actions. I think you can just do something like this for the latter:

from openedx.core.djangoapps.user_api.accounts.signals import USER_RETIRE_LMS_CRITICAL
from django.contrib.auth import get_user_model

user = get_user_model().objects.get(username=...)
USER_RETIRE_LMS_CRITICAL.send(sender=None, user=user)

@BryanttV
Copy link
Copy Markdown
Contributor

BryanttV commented Nov 14, 2025

Thanks for your explanation, @bmtcril! I didn’t know about the whole process. I tested the signal directly in the shell, and it works correctly! ✅

BryanttV
BryanttV approved these changes Nov 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@BryanttV BryanttV left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! @mariajgrimaldi

@mariajgrimaldi
feat: add initial extended model for consistency and additional storage
df1e196
@mariajgrimaldi
feat: add model to be used as backreference to maintain rules up to date
9d3b395
@mariajgrimaldi
refactor!: use registry pattern to extend base models
833cc2c
@mariajgrimaldi
refactor: consider when deleting extended model so the casbin rule is…
b4f7555 
… also deleted
@mariajgrimaldi
refactor: run make format
338ab81
@mariajgrimaldi
refactor: regenerate migrations
1ec58fe
@mariajgrimaldi
refactor: fix issues when rebasing
d3bf9c1
@mariajgrimaldi
refactor: drop unused variables from data classes
3ea8a84
@mariajgrimaldi
refactor: address integration test failure
b2b873b
@mariajgrimaldi
refactor: consider double namespace instead
27b6e5c
@mariajgrimaldi
test: add minimal unittest suite for extended casbin model
d3f1632
@mariajgrimaldi
refactor: address quality issues
5996a49
@mariajgrimaldi
feat: add handler to remove roles when user is retired
59053d7
@mariajgrimaldi
refactor: address PR review
2925a21
@mariajgrimaldi
refactor: address issues after rebase
e6096e2
@mariajgrimaldi
refactor: address quality issues after rebase
59ab46b
@mariajgrimaldi
refactor: drop load policy in favor of cache invalidation
282c6b6
@mariajgrimaldi
refactor: (temp) use no-index by default to avoid duplicate warnings
cbec3e6
@mariajgrimaldi mariajgrimaldi merged commit 5192606 into main Nov 14, 2025
13 of 14 checks passed
@mariajgrimaldi mariajgrimaldi deleted the MJG/user-retirement branch November 14, 2025 17:11
@github-project-automation github-project-automation Bot moved this from Ready for review to Done in RBAC AuthZ Board Nov 14, 2025
@github-project-automation github-project-automation Bot moved this from Blocked to Done in Contributions Nov 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmtcril bmtcril bmtcril approved these changes

@rodmgwgu rodmgwgu rodmgwgu approved these changes

@MaferMazu MaferMazu Awaiting requested review from MaferMazu

+1 more reviewer

@BryanttV BryanttV BryanttV approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mariajgrimaldi mariajgrimaldi

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). FC Relates to an Axim Funded Contribution project open-source-contribution PR author is not from Axim or 2U

Projects

Contributions
Archived in project
RBAC AuthZ Board
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mariajgrimaldi @openedx-webhooks @BryanttV @bmtcril @rodmgwgu @mphilbrick211