Merge pull request #18103 from edx/sstudent/EDUCATOR-2690

EDUCATOR-2690 bugfix

common/djangoapps/student/models.py

@@ -906,13 +906,7 @@ class PasswordHistory(models.Model):
         Updates the password in all rows corresponding to a user
         to an empty string as part of removing PII for user retirement.
         """
-        changed_password = False
-        with transaction.atomic():
-            for row, _ in cls.objects.filter(user_id=user_id):
-                changed_password = True
-                row.password = ""
-
-        return changed_password
+        return cls.objects.filter(user_id=user_id).update(password="")
 
 
 class LoginFailures(models.Model):

common/djangoapps/student/tests/test_password_history.py

@@ -204,6 +204,8 @@ class TestPasswordHistory(TestCase):
 
         self.assertFalse(PasswordHistory.is_password_reset_too_soon(student))
 
+    # We need some policy in place to create a history. It doesn't matter what it is.
+    @patch.dict("django.conf.settings.ADVANCED_SECURITY_CONFIG", {'MIN_DAYS_FOR_STUDENT_ACCOUNTS_PASSWORD_RESETS': 5})
     def test_retirement(self):
         """
         Verify that the user's password history contains no actual
@@ -214,9 +216,13 @@ class TestPasswordHistory(TestCase):
         # create multiple rows in the password history table
         self._change_password(user, "different")
         self._change_password(user, "differentagain")
+        # ensure the rows were actually created and stored the passwords
+        self.assertTrue(PasswordHistory.objects.filter(user_id=user.id).exists())
         for row in PasswordHistory.objects.filter(user_id=user.id):
             self.assertFalse(row.password == "")
 
+        # retire the user and ensure that the rows are still present, but with no passwords
         PasswordHistory.retire_user(user.id)
+        self.assertTrue(PasswordHistory.objects.filter(user_id=user.id).exists())
         for row in PasswordHistory.objects.filter(user_id=user.id):
             self.assertEqual(row.password, "")