feat: replace user identity strings with user IDs#38775
Open
ttak-apphelix wants to merge 8 commits into
Open
Conversation
Akanshu-2u
reviewed
Jun 22, 2026
| log.info(f'The user "{username}" has been added to the retirement pipeline \ | ||
| by "{request.user}"') | ||
| if settings.FEATURES['SQUELCH_PII_IN_LOGS']: | ||
| log.info('A user has been added to the retirement pipeline') |
Contributor
There was a problem hiding this comment.
@robrap Should we keep request.user in this logger? request.user is the user who triggered the bulk retirement pipeline.
Contributor
There was a problem hiding this comment.
We should probably just use the request user's id instead.
Akanshu-2u
reviewed
Jun 22, 2026
| }) | ||
| log.warning('email %s already exist', email) | ||
| if settings.FEATURES['SQUELCH_PII_IN_LOGS']: | ||
| log.warning('email [REDACTED] already exist') |
Contributor
There was a problem hiding this comment.
If the logger warning is a necessity to know which user's email is being referred here , then as a suggestion we can use it as:
log.warning(
'email for user_id=%s already exists',
user.id,
)
Just a suggestion upto you to decide, can we use this or the current change is enough?
Other places also may need some attention to see if user id can be used in the logger, so take a look at those also.
robrap
reviewed
Jun 22, 2026
| except SMTPException: | ||
| log.warning("Failure sending 'pending state' e-mail for %s to %s", user.email, studio_request_email) | ||
| if settings.FEATURES['SQUELCH_PII_IN_LOGS']: | ||
| log.warning("Failure sending 'pending state' e-mail for user ID %s to [REDACTED]", user.id) |
Contributor
There was a problem hiding this comment.
- I'd keep away from using "REDACTED". That's a nice automated solution if we were trying to have Datadog redact based on regex, or something. But when updating code, we have the ability to spell things out in english in the message.
- Also, I was wondering what
studio_request_emailwas and how we'd spell that out. It turns out it is just a system email coming from a setting, so there is no reason to redact that email in the first place. Something this brings up, if we choose to not redact an email (something that looks like PII), what's a good way to annotate that? For now, you could just add a comment like:
# studio_request_email is a system email address, not PII, which can safely be logged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update application logging to prevent exposure of customer identity information in logs when SQUELCH_PII_IN_LOGS is enabled. Log records that currently include usernames, email addresses, or other user-identifying strings should instead use non-PII identifiers (for example, numeric user IDs) where appropriate.
This change should be applied consistently across the platform to reduce PII exposure in logs
Private JIRA ticket:
https://2u-internal.atlassian.net/browse/BOMS-641