fix: do not change track personal data (#98)

patricebender · web-flow · commit 3bacbe285e7c · 2024-06-19T13:58:26.000+02:00
fix #97
diff --git a/README.md b/README.md
@@ -68,7 +68,7 @@ npm add @cap-js/change-tracking
 ## Annotations
 
 > [!WARNING]
-> Please be aware that [**sensitive** or **personal** data](https://cap.cloud.sap/docs/guides/data-privacy/annotations#annotating-personal-data) should not be change tracked, since viewing the log allows users to circumvent [audit-logging](https://cap.cloud.sap/docs/guides/data-privacy/audit-logging#setup).
+> Please be aware that [**sensitive** or **personal** data](https://cap.cloud.sap/docs/guides/data-privacy/annotations#annotating-personal-data) (annotated with `@PersonalData`) is not change tracked, since viewing the log allows users to circumvent [audit-logging](https://cap.cloud.sap/docs/guides/data-privacy/audit-logging#setup).
 
 All we need to do is to identify what should be change-tracked by annotating respective entities and elements in our model with the `@changelog` annotation. Following the [best practice of separation of concerns](https://cap.cloud.sap/docs/guides/domain-modeling#separation-of-concerns), we do so in a separate file _srv/change-tracking.cds_:
 
@@ -544,4 +544,3 @@ We as members, contributors, and leaders pledge to make participation in our com
 ## Licensing
 
 Copyright 2023 SAP SE or an SAP affiliate company and contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/cap-js/change-tracking).
-
diff --git a/lib/template-processor.js b/lib/template-processor.js
@@ -12,7 +12,9 @@ const _processElement = (processFn, row, key, elements, isRoot, pathSegments, pi
     const element = elements[key];
     const { plain } = picked;
 
-    if (plain) {
+    // do not change-track personal data
+    const isPersonalData = element && Object.keys(element).some(key => key.startsWith('@PersonalData'));
+    if (plain && !isPersonalData) {
         /**
          * @type import('../../types/api').templateProcessorProcessFnArgs
          */
diff --git a/tests/bookshop/db/schema.cds b/tests/bookshop/db/schema.cds
@@ -212,6 +212,13 @@ entity Customers : cuid {
                  on orderItems.customer = $self;
 }
 
+// do not change-track personal data
+annotate Customers with {
+  name @PersonalData.IsPotentiallyPersonal;
+  name @changelog 
+};
+
+
 entity OrderHeader : cuid {
   status : String;
 }
diff --git a/tests/integration/service-api.test.js b/tests/integration/service-api.test.js
@@ -322,4 +322,17 @@ describe("change log integration test", () => {
         expect(changes[0].valueChangedFrom).to.equal("2012-01-01");
         expect(changes[0].valueChangedTo).to.equal("");
     });
+
+    it("Do not change track personal data", async () => {
+        const allCustomers = await SELECT.from(adminService.entities.Customers);
+        await UPDATE(adminService.entities.Customers).where({ ID: allCustomers[0].ID }).with({
+            name: 'John Doe',
+        });
+
+        const changes = await SELECT.from(ChangeView).where({
+            entity: "sap.capire.bookshop.Customers",
+        });
+
+        expect(changes.length).to.equal(0);
+    });
 });

Original file line number	Diff line number	Diff line change
`@@ -212,6 +212,13 @@ entity Customers : cuid {`
`212`	`212`	`on orderItems.customer = $self;`
`213`	`213`	`}`
`214`	`214`
	`215`	`+// do not change-track personal data`
	`216`	`+annotate Customers with {`
	`217`	`+ name @PersonalData.IsPotentiallyPersonal;`
	`218`	`+ name @changelog`
	`219`	`+};`
	`220`	`+`
	`221`	`+`
`215`	`222`	`entity OrderHeader : cuid {`
`216`	`223`	`status : String;`
`217`	`224`	`}`