[DS-4036] Delete EPersons even if they are referenced #2928
Conversation
DSpace references EPersons in different database tables like the submitter of an item or like the EPerson that gets special rights granted in the resourcepolicy table. This PR changes DSpace so it can handle references that are set null instead of referencing an actual EPerson. This is important to be able to delete EPersons which is demanded by several data protection laws like GDPR in the European Union.
heathergreerklein
moved this from Needs Reviewers Assigned
to Under Review
in DSpace 7 Beta 4
There was a problem hiding this comment.
@benbosman : I gave this an early review today, per request of @lieven-atmire in today's meeting.
I added a number of minor code cleanup notes...nothing major. The logic here mostly makes sense, but I'd like us to think more about the deletion related to Workflow Role Groups (see this comment of mine).
I'm worried we are potentially making it harder on DSpace Administrators to delete an EPerson if they are a member of many Workflow Role Groups. But, it's also possible I'm misunderstanding the code here. If possible, I'd like us to consider if there's a way to make deletion of EPersons slightly easier (to avoid forcing Admins to remove them one by one from a potentially large number of groups).
Overall, I'm not against the approach you've taken here, but I'd like to understand why you took this approach as it seems slightly unexpected to me at a first glance.
dspace-api/src/main/java/org/dspace/app/requestitem/RequestItemHelpdeskStrategy.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/app/requestitem/RequestItemMetadataStrategy.java
Outdated
Show resolved
Hide resolved
| @@ -66,6 +68,8 @@ | |||
|
|
|||
| public void deleteByDsoEPersonPolicies(Context context, DSpaceObject dso, EPerson ePerson) throws SQLException; | |||
|
|
|||
| public void deleteAllEPersonPolicies(Context context, EPerson ePerson) throws SQLException; | |||
There was a problem hiding this comment.
probably should be renamed deleteByEPerson() to match the other deleteBy* methods in this same DAO. We should also take this opportunity to add Javadocs here & to the new findByEPerson() method above.
There was a problem hiding this comment.
This feedback hasn't been addressed yet
There was a problem hiding this comment.
This is another change from #2229. We can modify it
dspace-api/src/main/java/org/dspace/eperson/EPersonCLITool.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/eperson/EPersonCLITool.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/eperson/EPersonServiceImpl.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/eperson/EPersonServiceImpl.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/eperson/GroupServiceImpl.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/workflowbasic/BasicWorkflowServiceImpl.java
Show resolved
Hide resolved
| * - verify the delete is refused | ||
| * - remove user B from step 1 | ||
| * - delete user B | ||
| * - verify the delete succeeds |
There was a problem hiding this comment.
@benbosman : The scenario above doesn't make total sense to me. I don't see why deletion of user B must fail until they are removed from both approval groups? Why wouldn't a deletion just remove them from those approval groups (and let the approval proceed with other users in those groups)?
Does this have to do with whether a EPerson is the only member of a workflow role Group?
Simply put, I think we need to think about this more:
- If an EPerson is only one (of many) member of a workflow role Group, then it seems like deleting them should just remove them from the group. I.e. no error should occur.
- If an EPerson is the only member of a workflow role Group, then we have two options:
- We delete both the EPerson & the Workflow Role Group (i.e. you are deleting that workflow step by deleting the only member of it). We could warn an Admin here if needed by saying: "By deleting this person, you will also remove these workflow steps of which they are the only member: "
- We refuse to delete the EPerson until they are removed from each of the Workflow Role Groups. This is easier for us, but potentially more work for the DSpace Admin, who may have to go in and edit/delete the EPerson from a number of Groups one by one.
There was a problem hiding this comment.
I now realize (after you added more details on the new "rules" here to the PR description) that my above comment is a misunderstanding of this test code. I had previously (wrongly) assumed this test was verifying that "no workflow group can be empty".
But, now I see that this test is likely verifying that the user cannot be removed if they are the only member of a Workflow Group that has items assigned.
I think this PR would be much easier to review if these tests all documented the scenario they are trying to tests. So, while the list of checks is useful here, it'd be nice to summarize them at the top by saying something like "This test verifies that an EPerson cannot be removed if they are the only member of a Workflow Group that has tasks currently assigned to it."
So, please disregard my prior request/comment..the only action here is to add a summary comment at the top of each test to summarize the scenario you are testing for.
There was a problem hiding this comment.
Most of this prior feedback can be ignored, except as noted, it'd be useful to update the comments above these tests to simply summarize the scenario that each test is attempting to verify. The detailed list of steps is sometimes confusing to follow. So, I think this test could say something like: This test verifies that an EPerson cannot be removed if they are the only member of a Workflow Group that has tasks currently assigned to it.
The same is true for all tests in this class...it's sometimes hard to follow exactly why they are performing the steps they are performing. So, a simple summary sentence would help describe the scenario much more clearly.
There was a problem hiding this comment.
AFAIK this has already been done as well
There was a problem hiding this comment.
@benbosman : I'm not seeing the requested changes to this EPersonInWorkflowTest class methods.
There was a problem hiding this comment.
I'd still appreciate simple summary notes at the beginning of each of these tests. It's very hard to follow these tests & the detailed "This test will perform the following checks:" does not always make it clear which scenario is being tested for.
As I noted previously, I think this test method can be easily summarized as "This test verifies that an EPerson cannot be removed if they are the only member of a Workflow Group that has tasks currently assigned to it." However, I'm not sure that's accurate, as it also seems like it might be testing that a user with claimed tasks cannot be deleted?
I think these tests would be a lot easier to understand if the JavaDocs just had a brief summary of the scenarios tested, and you moved the step-by-step summary into inline comments. Otherwise, I'm stuck reading a line and then having to scroll up to the JavaDocs to see which step it might be referencing, then reading the next line, and scroll back up, etc.
It's also extremely difficult determining the differences between testDeleteUserWhenOnlyUserInGroup1, testDeleteUserWhenOnlyUserInGroup2, ``testDeleteUserWhenOnlyUserInGroup3`...all the way to 7. Again, I think it'd be easier to understand if the JavaDocs had a simple summary of what makes this tests unique, and you move more of the details to inline (to describe what each line is doing).
I realize this would take work, but without these changes, this test class is very hard to review. I've taken 30mins to just check the first method looks correct (it does). But, I don't know how it differs from all the rest yet. (And, at a glance many of these test methods look like they run the same check over and over again...for instance, each one keeps checking that User B cannot be deleted if they are the last member of the first step group... it seems like we only need to make that check once)
|
@benbosman : Thanks for the updates to the PR Description to describe the "rules" you've put in place around deleting EPersons...specifically:
I now realize that my prior feedback was slightly misguided, as I had misunderstood one of the rules... I had previously thought that "no workflow group can be empty" was a rule you were attempting to achieve (and that was the major concern I had). Therefore, I generally approve of the direction of this draft PR. I've updated my prior inline comments where I was misunderstanding the code previously to clarify what would help this PR along. I think all the inline requests are now relatively minor. Mostly it'd be improved by more inline comments & clearer error messages. Thanks! |
github-actions
bot
added
the
merge conflict
72774: Delete eperson: workspace
benbosman
removed
the
merge conflict
There was a problem hiding this comment.
@benbosman : I was going to review this today, but I realized that my prior (mostly minor) feedback from Aug 20 hasn't been addressed yet. So, I've added inline comments here again as a reminder of which feedback still needs addressing.
In the meantime, I'll try and test this out with the (new) corresponding Angular PR in the coming days, so that I can also provide feedback on how it's working.
dspace-api/src/main/java/org/dspace/app/requestitem/RequestItemHelpdeskStrategy.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/app/requestitem/RequestItemMetadataStrategy.java
Outdated
Show resolved
Hide resolved
| @@ -66,6 +68,8 @@ | |||
|
|
|||
| public void deleteByDsoEPersonPolicies(Context context, DSpaceObject dso, EPerson ePerson) throws SQLException; | |||
|
|
|||
| public void deleteAllEPersonPolicies(Context context, EPerson ePerson) throws SQLException; | |||
There was a problem hiding this comment.
This feedback hasn't been addressed yet
| } catch (IOException ex) { | ||
| List<String> tableList = ePersonService.getDeleteConstraints(context, eperson); | ||
| if (!tableList.isEmpty()) { | ||
| System.out.printf("This EPerson with ID: %s is referring to this tables:%n ", |
There was a problem hiding this comment.
This feedback hasn't been addressed yet
dspace-api/src/main/java/org/dspace/eperson/EPersonCLITool.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/eperson/EPersonCLITool.java
Outdated
Show resolved
Hide resolved
| } catch (AuthorizeException ex) { | ||
| log.error("This AuthorizeException: " + ex + " occured while deleting Eperson with the ID: " + | ||
| ePerson.getID()); | ||
| throw new AuthorizeException(ex.getMessage()); |
There was a problem hiding this comment.
This feedback hasn't been addressed yet
dspace-api/src/main/java/org/dspace/eperson/EPersonServiceImpl.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/workflowbasic/BasicWorkflowServiceImpl.java
Show resolved
Hide resolved
| * - verify the delete is refused | ||
| * - remove user B from step 1 | ||
| * - delete user B | ||
| * - verify the delete succeeds |
There was a problem hiding this comment.
Most of this prior feedback can be ignored, except as noted, it'd be useful to update the comments above these tests to simply summarize the scenario that each test is attempting to verify. The detailed list of steps is sometimes confusing to follow. So, I think this test could say something like: This test verifies that an EPerson cannot be removed if they are the only member of a Workflow Group that has tasks currently assigned to it.
The same is true for all tests in this class...it's sometimes hard to follow exactly why they are performing the steps they are performing. So, a simple summary sentence would help describe the scenario much more clearly.
|
@benbosman : Thanks for the clarification. In general, I think we do need to clean up the original code from #2229 in this PR as well.... I fully realize your team didn't write that code. But as you are helping steward this work along, I'd appreciate it if we can still cleanup (where reasonable) code that was originally written in #2229 which doesn't align well with our current DSpace 7 best practices. So, I'd definitely appreciate it if your team could help clean up the code throughout this PR....that said, we can decide to make exceptions around minor things (like the changes to the now obsolete Workflow framework, as that will be removed soon anyhow). |
|
This pull request fixes 1 alert when merging d5e28e8 into 8d57d71 - view on LGTM.com fixed alerts:
|
There was a problem hiding this comment.
@benbosman : I gave this another code review today. Much of my feedback has been addressed. However, I'm still finding the tests in EPersonInWorkflowTest to be very "dense" and difficult to understand. They are very repetitive and don't describe well which different scenarios they are attempting to test for. I've added more comments/questions inline to explain further.
I will also note that this EPersonInWorkflowTest takes a really long time to run (for a Unit Test). Your Travis build shows it taking 21.396 seconds, while most every other unit test completes in about 5 seconds or less. I'm not sure what to suggest here, but I'd like to understand if we need the repetitive tests in this class, as I'm worried they are just adding unnecessary time to the build/testing process.
I will note that I lightly tested this with the Angular PR and it looks like the basics are working. So, I think this mostly just needs some test cleanup to simplify things (if possible) and better describe exactly what each test is doing differently
| * @throws Exception | ||
| */ | ||
| @Test | ||
| public void testDeleteUserWhenOnlyUserInGroup2() throws Exception { |
There was a problem hiding this comment.
How does this differ from testDeleteUserWhenOnlyUserInGroup1()? I'm not seeing clear differences in why we need a second test here & the description doesn't describe any differences...both methods are described identically as: This test verifies that an EPerson cannot be removed if they are the only member of a Workflow Group that has tasks currently assigned to it. This test also verifies that after user has been removed from the workflow group and the task has been passed, the EPerson can be removed.
It's very hard to tell the differences between these methods, and (to me) it looks like we are running some of the same tests as in testDeleteUserWhenOnlyUserInGroup1(). Duplicative tests are not really necessary, as they just take up more time (and will cause this overall Test class to take longer to complete/pass). It's possible I'm misunderstanding the purpose of these test methods...but the purpose is just not clear to me as a reviewer, so I'm finding these test methods very difficult to review.
This same comment applies to all the other testDeleteUserWhenOnlyUserInGroup() tests below (numbered 2-7). They all have had the exact same summary added to them, & the code is similar but not exactly the same. So, I'd like to understand why they are all needed. Are there different scenarios here that you are trying to test are not causing a different behavior? If so, we need to describe those different scenarios better in the comments, so that it's easier for reviewers to understand what they are attempting to test for.
| * @throws Exception | ||
| */ | ||
| @Test | ||
| public void testDeleteUserAfterReplacingUser2() throws Exception { |
There was a problem hiding this comment.
The same questions above apply to these methods. I'm finding it hard to determine the differences between testDeleteUserAfterReplacingUser2() and testDeleteUserAfterReplacingUser1(). I can see the descriptions are identical & the setup is identical. The steps seem like they are very similar but in a slightly different order. And, why does this test need to verify that the Item can be archived after approvals occur? It seems like it that's beyond the scope of testing whether User B can be deleted after another user is added?
So, again, this is confusing to me to review as I'm not understanding what this test is attempting to test for that is different from the prior test. It also seems like these tests are doing more than they need to, as I don't think they need to complete the entire workflow process (unless I'm misunderstanding the goals of these tests)
This same comment applies to the other tests named testDeleteUserAfterReplacingUser*() as they are all quite similar in nature.
|
Hi @tdonohue , If you do want to have some tests disabled due to the duration in Travis, perhaps it would be possible to:
|
|
@benbosman : I think you've misunderstood my prior requests. I'm not asking to disable tests or even to remove some of the tests. But, I would like it if tests described their goal(s) better. Currently, this PR has been hard for me to review as the test methods all look extremely similar to me. So, I'm unable to determine why you've chosen to test the same idea (e.g. blocking delete of a EPerson who is the only member of a review group) from several different "angles" or "approaches". The differences between the tests are unclear to me, so I don't know what bugs you are trying to prove no longer exist. I've also found that existing tests seem to do a lot more work then they need to. For instance, after proving that you can only delete an EPerson after removing them from the review group, why does every test need to then continue the workflow step-by-step until the Item is archived? Continuing to test the workflow itself seems unrelated to the EPerson deletion codebase -- unless I'm misunderstanding the goals of these tests. If, after the tests are better documented & we've removed unnecessary code from the tests, these tests still take a while to run, I'm OK with that. However, currently, as they look duplicative to me & they are taking a long time to run, I have to ask these questions to understand what I'm missing. |
| /** | ||
| * Class to test interaction between EPerson deletion and tasks present in the workflow | ||
| */ | ||
| public class EPersonInWorkflowTest extends AbstractIntegrationTestWithDatabase { |
There was a problem hiding this comment.
If this class is an AbstractIntegrationTestWithDatabase then it is not a unit test and should be named EPersonInWorkflowIT.
Being an IT would help to explain why it runs so long. Actually, as our ITs go, its execution is rather brief.
There was a problem hiding this comment.
@mwoodiupui : good catch! I somehow overlooked that.
I agree with @mwoodiupui here, @benbosman ....this class is misnamed. Since it's obviously an IT, it must be named EPersonInWorkflowIT.java in order to be run as an IT. Just a reminder, classes with "Test" in them are run as Unit Tests, while classes with "IT" in them are run as Integration Tests.
|
This pull request fixes 1 alert when merging d6046dc into 737d3e6 - view on LGTM.com fixed alerts:
|
|
This pull request fixes 1 alert when merging 01cc856 into 737d3e6 - view on LGTM.com fixed alerts:
|
There was a problem hiding this comment.
@benbosman : As noted via Slack, the new IT code comments are looking good to me. So, if the other methods can be updated, I'd appreciate it.
I also gave this another test today with DSpace/dspace-angular#874, and I stumbled on one (seemingly minor) bug. If I delete a submitter while they have an item in Workflow, the deletion succeeds, but the item in Workflow is no longer accessible from the UI (it throws a NullPointerException as the submitter is now null).
Here's the full error stacktrace that I see in the dspace.log:
2020-10-05 16:38:57,968 ERROR org.dspace.app.rest.exception.DSpaceApiExceptionControllerAdvice @ An exception has occurred (status:500)
java.lang.NullPointerException: null
at org.dspace.app.rest.converter.ConverterService.toRest(ConverterService.java:110) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.AInprogressItemConverter.fillFromModel(AInprogressItemConverter.java:70) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.WorkflowItemConverter.convert(WorkflowItemConverter.java:36) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.WorkflowItemConverter.convert(WorkflowItemConverter.java:24) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.ConverterService.toRest(ConverterService.java:111) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.PoolTaskConverter.convert(PoolTaskConverter.java:38) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.PoolTaskConverter.convert(PoolTaskConverter.java:24) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.DiscoverResultConverter.convertDSpaceObject(DiscoverResultConverter.java:98) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.DiscoverResultConverter.addSearchResults(DiscoverResultConverter.java:78) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.converter.DiscoverResultConverter.convert(DiscoverResultConverter.java:57) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.repository.DiscoveryRestRepository.getSearchObjects(DiscoveryRestRepository.java:115) ~[classes/:7.0-beta4-SNAPSHOT]
at org.dspace.app.rest.DiscoveryRestController.getSearchObjects(DiscoveryRestController.java:153) ~[classes/:7.0-beta4-SNAPSHOT]
I think the error is here: https://github.com/DSpace/DSpace/blob/main/dspace-server-webapp/src/main/java/org/dspace/app/rest/converter/AInprogressItemConverter.java#L70 It probably should be checking that the submitter is not null before using it.
Here's how to reproduce it:
- Create a new EPerson (as needed) who is an Administrator
- Find a Collection that has workflow approval enabled. Submit to it.
- Complete the submission...it goes into workflow approval
- Delete the EPerson (it will succeed)
- Now, login as a user who can approve/reject the submission created. The Workflow item list in that person's MyDSpace will "hang" indefinitely...in the
dspace.logyou'll see the above NullPointerException.
Overall, I'll admit this PR looks good to me. This is the only issue I've found. I've successfully done the following:
- I can delete EPerson who submitted past Items. Those Items are kept & still viewable in the UI
- I cannot delete an EPerson who is the last/only member of a Workflow group. However, I get the proper error. I can delete them if I delete the group first, or add another person to that group.
|
This pull request fixes 1 alert when merging 4103b01 into 737d3e6 - view on LGTM.com fixed alerts:
|
There was a problem hiding this comment.
👍 Overall, this is looking good now, so I'll give it my +1. Thanks for the IT comments cleanup @benbosman and @YanaDePauw -- it really helped to clarify to me what each test is doing differently.
There are just two outstanding issues I'm aware of...one it'd be nice to clean up in this PR, and the other could wait for a follow-up PR:
- As noted inline below, there's one test that has an
@Ignore. I think this@Ignorecan be removed and the test corrected (as I noted below). This should be very quick to fix & likely could be done in this PR. If for some reason you disagree, let me know or add a "TODO" comment to that test to describe why it's currently Ignored. - The minor NullPointerException that I mentioned previously could be done in a follow-up PR. I think this PR as-is is a great improvement, so I'd like to avoid holding it up further. If you agree, I'll simply log a bug ticket for the NPE & we can reschedule that follow-up fix for beta 5.
Thanks again!
|
|
||
| @Ignore | ||
| @Test | ||
| public void testWorkflowItemSubmitterDelete() throws Exception { |
There was a problem hiding this comment.
Minor thing. This test seems to have an @Ignore. Is there a reason for that? If so, we should add a TODO comment here.
Also, I think this test may be incorrect. In EPersonTest.testCascadingDeleteSubmitterPreservesWorkflowItems(), the test proves that a WorkflowItem is kept even if the Submitter is deleted. This test seems to be trying to prove the opposite as the final line in this method is trying to prove that the WorkflowItem isNotFound() after the Submitter is deleted. I suspect that last line should be changed to isOk(), as the WorkflowItem should still exist even if the Submitter is deleted.
There was a problem hiding this comment.
I've logged the above Ignored test as part of #2994. It's related to the minor bug that I described there.
benbosman
force-pushed
the
w2p-72472_Delete-eperson
branch
from
62fd8b0
to
9ae4239
Compare
|
This pull request fixes 1 alert when merging 9ae4239 into 737d3e6 - view on LGTM.com fixed alerts:
|
|
Thanks @tdonohue |
|
@benbosman : thanks for the response. I completely overlooked the fact that this ignore test was related to the small bug I previously reported. I've logged both in a new ticket #2994, which I've scheduled for beta 5. Therefore, I'm OK with this PR as-is. The bug I found & ignored test can both be cleaned up in beta 5. |
There was a problem hiding this comment.
thanks @benbosman for the PR, I made a code review and the code looks good to me with test to proof it works. I have also made some minimal manual testing so I'm +1 with merge it eventually also as is. There are few inline comments about minor cleanup
| @@ -33,6 +33,8 @@ | |||
| public List<ResourcePolicy> findByDsoAndType(Context context, DSpaceObject dSpaceObject, String type) | |||
| throws SQLException; | |||
|
|
|||
| public List<ResourcePolicy> findByEPerson(Context context, EPerson ePerson) throws SQLException; | |||
There was a problem hiding this comment.
nothing serious, basic javadoc is missing
| * referencing object - e.g. WorkspaceItem, ResourcePolicy - or by setting | ||
| * the foreign key null - e.g. archived Items). If cascade is set to false | ||
| * and the EPerson is referenced somewhere, this leads to an | ||
| * AuthorizeException. EPersons may be referenced by Items, ResourcePolicies |
There was a problem hiding this comment.
this seems to be not fully accurate. In the code below there are scenario where the EPersonDeletionException is thrown directly (btw it should be also added to the list of throws in the javadoc) and in another case it is wrapped inside an IllegalArgumentException. Can we always return it directly? any reason to wrap it in another exception?
|
Merging this as-is since it's at +2. I also created a separate ticket around cleaning up the Basic Workflow code (see #2995) to ensure that isn't forgotten (as both @abollini and I noticed that in comments above). Thanks @benbosman for helping move this effort along (and a thank you to @pnbecker whose prior work was pulled into this PR) |
tdonohue
added
the
authentication: EPerson
References
Description
This PR:
This PR doesn't include tests for the submission yet. We'd first want to verify whether the approach taken here is approved.
This PR is focussed on denying creation of an inconsistent state of your repository/items. This implies:
Instructions for Reviewers
There's a large amount of scenarios in EPersonInWorkflowTest.java. Please read them to see how this has been approached.
The general principle is to avoid an inconsistent state. If deleting the user would bring the system to an inconsistent state, that will need to be solved first, and the delete is refused.
Checklist
This checklist provides a reminder of what we are going to look for when reviewing your PR. You need not complete this checklist prior to creating your PR (draft PRs are always welcome). If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!
pom.xml), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.