[fix] Exclude deleted notification settings #426

[Piyushkhobragade]

The populate_notification_preferences command soft-deletes obsolete
notification settings by setting deleted=True. However, these settings
were not being filtered out by the REST API.

This caused the frontend to throw a NotificationRenderException when
attempting to render undefined notification types. This PR explicitly
excludes these soft-deleted records from the BaseNotificationSettingView
queryset and the UserOrgNotificationSettingView bulk updates. A test case
has also been added to prevent regressions.

Fixes #426

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR excludes soft-deleted NotificationSetting records from API responses and update operations. It adds deleted=True exclusion in the NotificationSetting queryset and updates bulk-update paths to ignore entries with deleted=True. Tests were added to confirm deleted settings are absent from list, detail, and update endpoints and that bulk updates do not modify soft-deleted settings. A .gitignore entry for venv/ was also added.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant API as NotificationSettingView
  participant DB as NotificationSettingModel

  Client->>API: GET /notification-settings/ (list)
  API->>DB: query NotificationSetting.exclude(deleted=True, ...)
  DB-->>API: return filtered settings
  API-->>Client: 200 OK (filtered list)

  Client->>API: GET /notification-settings/{id}/ (detail)
  API->>DB: get(id).exclude(deleted=True)
  DB-->>API: 404 if deleted / return object
  API-->>Client: 200 OK or 404

  Client->>API: PUT /notification-settings/{id}/
  API->>DB: filter(id).exclude(deleted=True).update(...)
  DB-->>API: 0 rows if deleted / 1 row updated
  API-->>Client: 200 OK or 404

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[fix] Exclude deleted notification settings #426' correctly follows the required format with [fix] prefix and clearly describes the main change of excluding soft-deleted notification settings.
Description check	✅ Passed	The PR description explains the issue, the solution, and references the linked issue #426 with 'Fixes #426', though it lacks a formal checklist completion section from the template.
Linked Issues check	✅ Passed	Code changes properly exclude soft-deleted notification settings from REST API responses (#426) via queryset filtering and bulk update exclusions, with regression test coverage added.
Out of Scope Changes check	✅ Passed	The .gitignore update to ignore 'venv/' is a minor housekeeping change unrelated to the PR objectives, but does not impede the main fix's purpose.
Bug Fixes	✅ Passed	The pull request properly fixes the root cause by excluding soft-deleted NotificationSetting records from API responses through Q(deleted=True) filters and exclude(deleted=True) calls, with comprehensive regression test validation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

openwisp_notifications/api/views.py (1)

221-229: ⚠️ Potential issue | 🟠 Major

Missing exclusion of soft-deleted records in bulk update.

The PR description states this view should exclude soft-deleted records, but the bulk update at lines 225-227 still operates on all NotificationSetting records for the user/org, including those with deleted=True. This could unintentionally modify soft-deleted settings that shouldn't be accessible via the API.

🔧 Proposed fix to exclude deleted records

     def post(self, request, user_id, organization_id):
         serializer = self.get_serializer(data=request.data)
         if serializer.is_valid():
             validated_data = serializer.validated_data
             NotificationSetting.objects.filter(
                 organization_id=organization_id, user_id=user_id
-            ).update(**validated_data)
+            ).exclude(deleted=True).update(**validated_data)
             return Response(status=status.HTTP_200_OK)
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@openwisp_notifications/api/views.py` around lines 221 - 229, The bulk update
in the post method of the view is currently applying to all NotificationSetting
rows including soft-deleted ones; change the queryset used in
NotificationSetting.objects.filter(...) inside post (the filter that uses
organization_id and user_id) to exclude soft-deleted records (e.g., add
deleted=False or .exclude(deleted=True) to that filter) so the
update(**validated_data) only affects non-deleted settings.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@openwisp_notifications/api/views.py`:
- Around line 221-229: The bulk update in the post method of the view is
currently applying to all NotificationSetting rows including soft-deleted ones;
change the queryset used in NotificationSetting.objects.filter(...) inside post
(the filter that uses organization_id and user_id) to exclude soft-deleted
records (e.g., add deleted=False or .exclude(deleted=True) to that filter) so
the update(**validated_data) only affects non-deleted settings.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1f1d6a8c-3b4b-49f1-913b-92e285d83e88

📥 Commits

Reviewing files that changed from the base of the PR and between d5b5bb9 and 81a7c28.

📒 Files selected for processing (2)

• openwisp_notifications/api/views.py
• openwisp_notifications/tests/test_api.py

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=4.2.0

🔇 Additional comments (2)

openwisp_notifications/api/views.py (1)

130-134: LGTM - Correctly excludes soft-deleted settings from the API queryset.

The added Q(deleted=True) exclusion ensures soft-deleted NotificationSetting records are filtered out from list, detail, and update endpoints.

Minor note: The deleted field allows NULL (defined with null=True). This exclusion includes NULL records (only excludes explicit True), whereas handlers.py uses deleted=False (excludes both NULL and True). This is acceptable given the default is False, but worth being aware of for consistency.

openwisp_notifications/tests/test_api.py (1)

822-847: Good test coverage for the soft-delete exclusion fix.

The test correctly verifies that soft-deleted notification settings are excluded from the list endpoint and return 404 for detail and update operations.

Consider adding a subtest for the UserOrgNotificationSettingView bulk update endpoint (user_org_notification_setting) to verify that soft-deleted settings are not affected by bulk updates once the corresponding fix is applied to that view.

[nemesifier]

Looks good, will test asap, please change the prefix from [api] to [fix].

[Piyushkhobragade]

Looks good, will test asap, please change the prefix from [api] to [fix].

Thanks so much for the review! I initially wasn't sure if updating the PR title was enough, but I just checked the GitHub Actions logs and saw the commit linter was actively failing the build because of the old [api] prefix.

I went ahead and squashed the commits and amended the message to use the [fix] prefix so the CI pipeline can pass. Let me know if you need anything else!

[Piyushkhobragade]

Hi @nemesifier, just a quick bump on this! The API fix and commit prefix are all set.

I noticed the CI is currently failing globally due to an upstream django-filter dependency drift. Let me know if you need anything else from my end, or if we are just waiting on the infrastructure fix before you test locally. Thanks!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.gitignore:
- Line 192: Remove the duplicate "venv/" entry in .gitignore by deleting the
later occurrence (the standalone "venv/" at line shown in the diff) and keep the
existing "venv/" entry under the "### venv ###" section; ensure no other
whitespace-only or duplicate lines remain so the single canonical "venv/"
pattern is preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c6e0bf85-99af-468e-a42d-a2aff9488898

📥 Commits

Reviewing files that changed from the base of the PR and between 13b1e92 and db86dbc.

📒 Files selected for processing (1)

• .gitignore

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Python==3.11 | django~=5.1.0
• GitHub Check: Python==3.11 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=5.0.0
• GitHub Check: Python==3.11 | django~=4.2.0
• GitHub Check: Python==3.11 | django~=5.0.0
• GitHub Check: Python==3.10 | django~=5.2.0
• GitHub Check: Python==3.12 | django~=4.2.0
• GitHub Check: Python==3.10 | django~=4.2.0
• GitHub Check: Python==3.12 | django~=5.2.0
• GitHub Check: Python==3.13 | django~=5.2.0
• GitHub Check: Python==3.10 | django~=5.0.0
• GitHub Check: Python==3.13 | django~=5.1.0
• GitHub Check: Python==3.12 | django~=5.1.0
• GitHub Check: Python==3.10 | django~=5.1.0