Adding display order to PrivacyNotice and ExperienceNotices

[galvana]

Ticket ENG-1837

Description Of Changes

Adds a display_order field to ExperienceNotices and PrivacyNotice. This allows us to store notices in the order provided via the API. Additionally, the display_order field is used to order notices on read.

• ExperienceNotices - Stores how the notices should be ordered within a given privacy experience
• PrivacyNotices - Stores how child notices should be ordered within a parent notice

These changes are non-breaking. If display_order is not available, we can still return notices. Additionally, if only some notices have an order (this shouldn't happen under normal use) notices without an order will be placed after notices with a display order. The display_order does not need to be provided, and it is also not returned, it's just a backend detail. The order of the notices is derived from the list order on ingestion, and the items are ordered by display order on read.

Code Changes

• Alembic migration to add display_order to experiencenotices and privacynotice.
• Set draggable to true for the notice configuration section of the privacy experience form.
• Modified the ScrollableList to match the height of the contents. It was hard to drag elements within this list while having to scroll to the top of the list. We need to make sure this doesn't affect other pages.

Steps to Confirm

1. Create a notice with child notices. The order should be preserved after you save and refresh the page.

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

Deployment failed with the following error:

You must set up Two-Factor Authentication before accessing this team.

View Documentation: https://vercel.com/docs/two-factor-authentication

[codecov]

Codecov Report

❌ Patch coverage is 94.44444% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 87.32%. Comparing base (7034e51) to head (8a390cd).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/fides/api/models/privacy_notice.py	90.90%	0 Missing and 1 partial ⚠️

❌ Your patch status has failed because the patch coverage (94.44%) is below the target coverage (100.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6939   +/-   ##
=======================================
  Coverage   87.32%   87.32%           
=======================================
  Files         525      525           
  Lines       34429    34445   +16     
  Branches     3962     3965    +3     
=======================================
+ Hits        30064    30080   +16     
  Misses       3501     3501           
  Partials      864      864           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds a display_order field to ExperienceNotices and PrivacyNotice models to preserve the order of notices as provided via the API. The implementation is non-breaking and handles backward compatibility well.

Key Changes

• Database Migration: Adds nullable display_order INTEGER columns to experiencenotices and privacynotice tables with proper upgrade/downgrade functions
• Backend Models:
  • ExperienceNotices junction table stores ordering of notices within a privacy experience
  • PrivacyNotice model stores ordering of child notices within a parent notice
  • Ordering uses .asc().nullslast() to handle NULL values gracefully (backward compatibility)
  • display_order is correctly excluded from historical records via pop() operations
• Frontend:
  • Enabled draggable={true} on ScrollableList components for privacy notices and child notices
  • Modified ScrollableList to remove max-height constraint when draggable for better UX
• Test Coverage: Comprehensive tests added for display order functionality, reordering, NULL handling, and historical record exclusion

Non-Breaking Design

The implementation preserves backward compatibility:

• display_order is nullable, so existing records without ordering continue to work
• NULL values appear last in ordered queries via nullslast()
• Order is derived from list position on ingestion, not explicitly required in API

Confidence Score: 4/5

• Safe to merge with one minor concern about ScrollableList changes affecting other pages
• The implementation is solid with proper database migrations, comprehensive test coverage, and good backward compatibility. The score is 4 instead of 5 due to the ScrollableList change that removes max-height constraint for draggable lists, which could potentially affect other pages using this component. This should be verified across the application.
• clients/admin-ui/src/features/common/ScrollableList.tsx - verify ScrollableList height changes don't adversely affect other pages

Important Files Changed

File Analysis

Filename	Score	Overview
src/fides/api/alembic/migrations/versions/xx_2025_11_07_1709_56fe6fad2d89_add_notice_display_order.py	5/5	Clean migration adding nullable display_order INTEGER columns to experiencenotices and privacynotice tables with proper downgrade
src/fides/api/models/privacy_notice.py	5/5	Added display_order to PrivacyNotice model with proper ordering via order_by on children relationship; excludes field from historical records correctly
src/fides/api/models/privacy_experience.py	5/5	Updated privacy_notices relationship ordering and modified link_notices_to_experience_config to set display_order based on list position; properly expires relationship after update
clients/admin-ui/src/features/common/ScrollableList.tsx	4/5	Removed maxHeight constraint from list container when draggable=true to improve UX; may affect other pages using ScrollableList with draggable items

[greptile-apps]

_{11 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[erosselli]

Approving with some comments. Don't forget the changelog entry

also codecov's complaining, let's make sure we have coverage for all added lines :)

[erosselli]

cursor loves the local imports 😒