fix: do not change track personal data (#98)

fix #97
cap-js · Jun 19, 2024 · 3bacbe2 · 3bacbe2
1 parent 1581c92
commit 3bacbe2
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -68,7 +68,7 @@ npm add @cap-js/change-tracking
 ## Annotations
 
 > [!WARNING]
-> Please be aware that [**sensitive** or **personal** data](https://cap.cloud.sap/docs/guides/data-privacy/annotations#annotating-personal-data) should not be change tracked, since viewing the log allows users to circumvent [audit-logging](https://cap.cloud.sap/docs/guides/data-privacy/audit-logging#setup).
+> Please be aware that [**sensitive** or **personal** data](https://cap.cloud.sap/docs/guides/data-privacy/annotations#annotating-personal-data) (annotated with `@PersonalData`) is not change tracked, since viewing the log allows users to circumvent [audit-logging](https://cap.cloud.sap/docs/guides/data-privacy/audit-logging#setup).
 
 All we need to do is to identify what should be change-tracked by annotating respective entities and elements in our model with the `@changelog` annotation. Following the [best practice of separation of concerns](https://cap.cloud.sap/docs/guides/domain-modeling#separation-of-concerns), we do so in a separate file _srv/change-tracking.cds_:
 
@@ -544,4 +544,3 @@ We as members, contributors, and leaders pledge to make participation in our com
 ## Licensing
 
 Copyright 2023 SAP SE or an SAP affiliate company and contributors. Please see our [LICENSE](LICENSE) for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available [via the REUSE tool](https://api.reuse.software/info/github.com/cap-js/change-tracking).
-
diff --git a/lib/template-processor.js b/lib/template-processor.js
@@ -12,7 +12,9 @@ const _processElement = (processFn, row, key, elements, isRoot, pathSegments, pi
  const element = elements[key];
  const { plain } = picked;
 
- if (plain) {
+ // do not change-track personal data
+ const isPersonalData = element && Object.keys(element).some(key => key.startsWith('@PersonalData'));
+ if (plain && !isPersonalData) {
  /**
  * @type import('../../types/api').templateProcessorProcessFnArgs
  */

diff --git a/tests/bookshop/db/schema.cds b/tests/bookshop/db/schema.cds
@@ -212,6 +212,13 @@ entity Customers : cuid {
  on orderItems.customer = $self;
 }
 
+// do not change-track personal data
+annotate Customers with {
+ name @PersonalData.IsPotentiallyPersonal;
+ name @changelog 
+};
+
+
 entity OrderHeader : cuid {
  status : String;
 }

diff --git a/tests/integration/service-api.test.js b/tests/integration/service-api.test.js
@@ -322,4 +322,17 @@ describe("change log integration test", () => {
  expect(changes[0].valueChangedFrom).to.equal("2012-01-01");
  expect(changes[0].valueChangedTo).to.equal("");
  });
+
+ it("Do not change track personal data", async () => {
+ const allCustomers = await SELECT.from(adminService.entities.Customers);
+ await UPDATE(adminService.entities.Customers).where({ ID: allCustomers[0].ID }).with({
+ name: 'John Doe',
+ });
+
+ const changes = await SELECT.from(ChangeView).where({
+ entity: "sap.capire.bookshop.Customers",
+ });
+
+ expect(changes.length).to.equal(0);
+ });
 });