From 209be897a0b4feb6f2038125768c4e745654a68d Mon Sep 17 00:00:00 2001 From: Felix Wolfsteller Date: Wed, 23 Sep 2020 11:07:19 +0200 Subject: [PATCH] store terms_accepted_at for User registration (#13) --- app/models/user.rb | 6 ++++++ ...200923085201_add_terms_accepted_at_to_user.rb | 9 +++++++++ doc/knowledgebase.md | 16 +++++++++++++--- test/system/tos_test.rb | 13 ++++++++++++- 4 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 db/migrate/20200923085201_add_terms_accepted_at_to_user.rb diff --git a/app/models/user.rb b/app/models/user.rb index ed8d3cb..3cd7d4e 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -18,6 +18,8 @@ class User < ApplicationRecord attribute :read_privacy_terms validates_acceptance_of :read_privacy_terms, :allow_nil => false, :on => :create + after_create :accept_terms + scope :with_current_subscription, -> { joins(:subscriptions).merge(Subscription.current) } @@ -59,4 +61,8 @@ def in_trial_period? def send_devise_notification(notification, *args) devise_mailer.send(notification, self, *args).deliver_later end + + def accept_terms + update(terms_accepted_at: DateTime.now) + end end diff --git a/db/migrate/20200923085201_add_terms_accepted_at_to_user.rb b/db/migrate/20200923085201_add_terms_accepted_at_to_user.rb new file mode 100644 index 0000000..e958d70 --- /dev/null +++ b/db/migrate/20200923085201_add_terms_accepted_at_to_user.rb @@ -0,0 +1,9 @@ +# SPDX-FileCopyrightText: 2020 Felix Wolfsteller +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +class AddTermsAcceptedAtToUser < ActiveRecord::Migration[6.0] + def change + add_column :users, :terms_accepted_at, :datetime + end +end diff --git a/doc/knowledgebase.md b/doc/knowledgebase.md index 9e88248..285a5ea 100644 --- a/doc/knowledgebase.md +++ b/doc/knowledgebase.md @@ -256,13 +256,23 @@ taken notice of, there cannot be disagreement by click). As the policies might change, it is important to store the date of the consents. -In order to force users to agree to the policies, the devises User model is -adjusted to force acceptance via a checkbox. The agreement itself is not stored, -but timestamped instead (column: ). +In order to force users to agree to the policies (at registration), the +devises User model is adjusted to force acceptance via a checkbox. +This applies only in the create-phase. + +The agreement itself is not stored, but is timestamped instead (column: +`accepted_terms_at`). To ease things (and we are only dealing with two +policies), just one timestamp is stored - if the consent becomes invalid +(because outdated), both policies have to be re-agreed to. After a valid login we have to redirect users to re-agree to the terms/policies if they are outdated. To do so there are at least two general approaches. +To hook into the devise workflow, a custom registrations_controller is +implemented, that overrides the `sign_up_params`. Futhermore, tableless +attributes are added to the User model and the registration form is adjusted +accordingly. + #### Rights on data ##### Deletion/anonymisation diff --git a/test/system/tos_test.rb b/test/system/tos_test.rb index ba0aac6..1da1a62 100644 --- a/test/system/tos_test.rb +++ b/test/system/tos_test.rb @@ -45,7 +45,18 @@ class TosTest < ApplicationSystemTestCase end test "when signed up, dates of consent are saved in User model" do - skip "tbi" + visit new_user_registration_url + + fill_in "E-Mail", with: 'my@ma.il' + fill_in "Passwort", with: 'my@ma.il' + fill_in "Passwortbestätigung", with: 'my@ma.il' + + check('Datenschutzhinweise gelesen') + check('Stimme AGB zu') + + click_on "Für Schnupperwoche registrieren" + + assert_in_delta DateTime.now.to_i, User.last.terms_accepted_at.to_i, 5 end test "when logging in and no consent was given, user is forced to agree or delete account" do