[ENG-1974] Filtered bulk actions for DSRs

[JadeCara]

Ticket ENG-1974

Description Of Changes

🎯 As a Fides user I want to be able to filter my results and then act on them, so that I can perform actions on many pages of results instead of having to go 1 by 1.

AC:

• Existing bulk action endpoints accept all the same filters as the search endpoint and apply the actions to the results.
• Existing bulk action endpoints accept a list of exclude_ids to be excluded from the actions
• Implementation reuses patterns for bulk actions used in the action center

Code Changes

• src/fides/api/api/v1/endpoints/privacy_request_endpoints.py: updated bulk functions with updates schema and functionality
• tests/ops/api/v1/endpoints/privacy_request/test_privacy_request_endpoints.py: All existing tests should continue to pass added TestFilteredBulkActions for the new filter functionality.

PRs in this chain:

• [ENG-1974] schema updates for bulk filtered dsr #7049 updates the schemas
• ENG-1974 add bulk operations to privacy request service #7050 updates the privacy request service to batch ids
• [ENG-1974] helper functions #7051 adds the helper functions for ids and filters
• [ENG-1974] Filtered bulk actions for DSRs #7027 updates the endpoints to use the filters with tests

Steps to Confirm

1. There should be no change in current functionality. Right now the front end passes back a list for all bulk functions so any tests with the front end should work exactly the same.
2. Test with the api: You can manually test with the api
3. Run fidesplus pointed at this branch. Create several DSRs with different values to test the filtering.
4. Hit the various bulk endpoints with different filters and verify the outcomes.
   Endpoints:

• /api/v1/privacy-request/bulk/soft-delete ✅ manually tested with ids and filters
• /api/v1/privacy-request/bulk/retry ✅ manually tested with ids and filters
• /api/v1/privacy-request/bulk/finalize (if you have it enabled) ✅ manually tested with ids and filters
• /api/v1/privacy-request/administrate/approve ✅ manually tested with ids and filters
• /api/v1/privacy-request/administrate/deny ✅ manually tested with ids and filters
• /api/v1/privacy-request/administrate/cancel ✅ manually tested with ids and filters
  Example:
  POST /api/v1/privacy-request/bulk/soft-delete with the following will delete all errored dsrs except the excluded id.

{
  "request_ids": [],
  "filters": {
    "status": "error"
  },
  "exclude_ids": [
    "pri_c35165f2-85e2-4dff-a008-2aee78486037" <--- your own errored id here
  ]
}

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
fides-plus-nightly	Ready	Preview	Comment	Dec 10, 2025 6:25pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
fides-privacy-center	Ignored			Dec 10, 2025 6:25pm

[codecov]

Codecov Report

❌ Patch coverage is 70.96774% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.31%. Comparing base (326a4cc) to head (3da507a).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
.../api/api/v1/endpoints/privacy_request_endpoints.py	66.03%	16 Missing and 2 partials ⚠️

❌ Your patch status has failed because the patch coverage (70.96%) is below the target coverage (100.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7027   +/-   ##
=======================================
  Coverage   87.30%   87.31%           
=======================================
  Files         532      532           
  Lines       34936    34962   +26     
  Branches     4048     4047    -1     
=======================================
+ Hits        30502    30526   +24     
- Misses       3552     3558    +6     
+ Partials      882      878    -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR implements filter-based bulk actions for DSRs, enabling users to act on multiple pages of results by applying filters instead of requiring explicit ID lists.

Key Changes:

• All 6 bulk action endpoints (approve, deny, cancel, finalize, retry, soft_delete) now accept either request_ids or filters with optional exclude_ids
• Added PrivacyRequestBulkSelection schema with validation ensuring request_ids and filters are mutually exclusive
• Implemented resolve_request_ids_from_filters helper function that applies filters, exclusions, and enforces a 10,000 result limit
• Maintained backwards compatibility by accepting plain arrays of request IDs
• Added comprehensive test coverage including parametrized tests for all 6 endpoints and detailed unit tests for filter resolution logic

Implementation Quality:

• Schema validation properly prevents invalid combinations (e.g., exclude_ids with request_ids)
• Batching logic handles large result sets by processing in chunks of 50
• Error handling appropriately raises ValueError when filter results exceed limits
• Clean separation between endpoint, service, and query utility layers

Confidence Score: 4/5

• This PR is safe to merge with minor style optimization possible
• The implementation is solid with comprehensive test coverage, proper validation, and good error handling. The schema validation correctly prevents invalid input combinations, the MAX_BULK_FILTER_RESULTS limit is properly enforced, and batching logic handles large datasets appropriately. The backwards compatibility layer cleanly handles both new and legacy API formats. One minor optimization suggested for empty list handling in batching logic, but this doesn't affect correctness.
• No files require special attention - implementation is clean across all modified files

Important Files Changed

File Analysis

Filename	Score	Overview
src/fides/api/api/v1/endpoints/privacy_request_endpoints.py	4/5	Updated all bulk action endpoints to support filter-based selection with exclude_ids. Added _create_bulk_selection_dependency factory for backwards compatibility with plain list inputs. Implementation properly handles batching and error cases.
src/fides/api/schemas/privacy_request.py	4/5	Added MAX_BULK_FILTER_RESULTS constant and PrivacyRequestBulkSelection schema with proper validation for mutually exclusive request_ids and filters. Validation correctly prevents exclude_ids being used with request_ids.
src/fides/service/privacy_request/privacy_request_query_utils.py	5/5	Added resolve_request_ids_from_filters helper that properly applies filters, exclusions, and enforces MAX_BULK_FILTER_RESULTS limit. Implementation correctly handles both explicit IDs and filter-based selection.
tests/ops/api/v1/endpoints/privacy_request/test_privacy_request_endpoints.py	4/5	Added TestFilteredBulkActions class with parametrized test covering all 6 bulk endpoints with filters and exclusions. Test validates that filters work and exclusions are properly applied.

[JadeCara]

@greptile please review

[greptile-apps]

_{4 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[JadeCara]

@greptile please review

[greptile-apps]

_{4 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[JadeCara]

@greptile please review

[greptile-apps]

_{7 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[JadeCara]

@greptile please review

[greptile-apps]

Additional Comments (1)

1. src/fides/service/privacy_request/privacy_request_service.py, line 138-146 (link)

   style: get_batches_for_bulk_operation returns [[]] when request_ids is empty, causing unnecessary iteration. Consider early return for empty lists.

_{7 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[vcruces]

Looks great to me! Thanks for applying the batching change, this will be really useful as we start handling larger numbers of DSRs