feat: add flag to allow permanent user deletions #335
+50
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use a feature flag to enable permanent deleting a user and their associated objects without going through the retirement pipeline where some of the PII is anonymized but not ignored when the user decides to register a second time with the same email or username.
Contributor
Author
|
I tried to add test cases for the feature flag, but I am not sure how to change Tutor settings during a test run. Because of it I reverted the commit. Is this even feasible with the current setup? |
jignaciopm
reviewed
Jan 5, 2026
Comment on lines
+279
to
+285
| # Delete OAuth tokens associated with the user. | ||
| retire_dot_oauth2_models(user) | ||
|
|
||
| # Unlink LMS social auth accounts | ||
| UserSocialAuth.objects.filter(user_id=user.id).delete() | ||
|
|
||
| # Delete the user |
Contributor
There was a problem hiding this comment.
I think we should delete these kinds of comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Use a feature flag to allow permanent deletion of a user and their related objects. This path would skip the retirement pipeline, where some PII is anonymized but still prevents a user from registering again with the same email or username. The feature flag would be off by default, so the current deletion behavior is maintained unless an administrator explicitly enables permanent deletion.
I also considered adding a separate delete endpoint to avoid surprising API users once the flag is enabled. A user could call delete user expecting the usual behavior and instead fully remove the account without realizing that permanent deletion is active. The downside is that we would end up with two delete endpoints that look very similar, which could be confusing.
What do you think about this approach?
Testing instructions
Additional information
A client was about to use this API. While reviewing it, we noticed a problem. As with the LMS deletion flow, once a user account is deleted, the same username or email cannot be used again.
This goes against the client’s internal policies. It can also raise GDPR concerns, because the system still appears to keep the user’s PII, even if it is anonymized. This is the main reason for allowing administrators to fully delete users.
Checklist for Merge