Skip to main content
Warning This document has not been updated for a while now. It may be out of date.
Last updated: 30 Jul 2019

content-publisher: 13. Permitted Deletion

Date: 2019-07-24


ADR 8: Restricted deletion explained the decision that foreign key associations in the Content Publisher database will all use the restrict constraint. At that point in time it was identified that we do not have any use cases for deleting data from the Content Publisher database.

Since then we have developed the access limit feature. This feature prevents users who are not part of a particular organisation from viewing content. A vulnerability in the access limit feature is that production data is synchronised to an integration environment where the access controls aren't as stringent, thus potentially allowing unauthorised users access to sensitive content. To resolve this issue GOV.UK applications have taken the approach of either removing or redacting data during the data sync process.

For Content Publisher to be consistent with other GOV.UK applications we had to choose between redacting or removing data associated with an access limited edition.


We decided that data would be removed from Content Publisher during the production to integration sync. This is significantly simpler than redacting the data and less likely to require adaptation for the needs of particular formats.

The approach taken to achieve this is to delete all data related to an access limited edition that isn't shared with another edition. To allow this we decided to replace restrict constraints in the editions table with cascade behaviour that automatically deletes associated records. A similar approach was applied to revisions to allow them, and associated data, to be deleted when they are no longer associated with an edition.




We no longer have a hard and fast rule that foreign key constraints should always restrict deletion. Developers manipulating the structure of the database now have to consider whether a change impacts data that can be access limited. If this is the case, there must not be constraints that prevent deletion as part of the data sync.