Goal

Handling deletion requests via Blender ID webhook by deleting user records after a grace period of roughly 2 weeks.

Special considerations

Not all accounts can be deleted

Accounts that have certain types of content linked to them cannot be deleted. This includes the following:

• Any film-related content:
  • assets;
  • collections;
  • production logs etc.
• Blog posts.

In case of these types of content anonymization is also not an option (e.g. a blog post from an anonymous user makes no sense, same goes for a training).

Theoretically, if the author is replaced on these, it should be possible to delete the original author's account, but then the original ownership is lost, which is also might not be a good option and has to be done manually.

See Collector for details on how to collect data that has to be deleted along with an object, including protected objects: https://github.com/django/django/blob/stable/3.0.x/django/db/models/deletion.py#L64

Further in this doc let's call it *protected data*.

Comments and likes, on the other hand, are designed to be unlinked from deleted accounts but remain publicly visible, and training progress can be safely deleted.

⇒ as long as the account is an *ordinary* account, not a content editor account, it's safe to delete its data.

Cloudv3 auth

We assume Cloudv3 also receives an update from Blender ID and soft-deletes the user as well.

What if subscription is currently active?

There are no checks about the subscription at the moment: it's possible to request account deletion in Blender ID while having an active subscription.

Notification and activity (actstream)

actstream 's actions don't have SET NULL in their GFKs to users , so notification records linked to deleted accounts also get deleted.

Implementation

It's possible to request your account deletion from your settings page

This is a separate tab in the Settings page (e.g. /settings/delete). This tab links to Blender ID where deletion can be requested. Blender ID then sends out a user-modified event that has date_deletion_requested date set.
An info box is displayed in case there's protected data linked to this account on Blender Cloud.

Webhook user-modified with non-null date_deletion_requested

• checks what kind of protected data is linked to this account;
• if there's protected data linked to this account, logs an error and does nothing else;
• otherwise, deactivates the account: user.is_active = False;
• sets a user.date_deletion_requested to the date in webhook's payload;

Actual deletion

Command queue_deletion_requests

• called once a day (or less often);
• selects all Users that have date_deletion_requested at least 2 weeks in the past;
• for each calls a users.tasks.handle_deletion_request(pk)
• scheduled via systemd timer.

Task users.tasks.handle_deletion_request

• deletes a User with a given pk along with all data that it cascades to.

What if they change their mind within 2 weeks

We can, in theory, re-activate the account and clear deletion request (set date_deletion_requested = None) manually, however this is unlikely to happen often to be of concern.

See https://developer.blender.org/T82339