add tos_agreement and privacy terms on registration

tackling GDPR Stuff #13 .
econya · Sep 22, 2020 · 351947c · 351947c
1 parent 6d71312
commit 351947c
Show file tree

Hide file tree

Showing 6 changed files with 107 additions and 0 deletions.
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
@@ -11,4 +11,10 @@ def create
       AdminMailer.new_registration(@user).deliver_later
     end
   end
+
+  protected
+
+  def sign_up_params
+    params.require(:user).permit(:email, :password, :password_confirmation, :tos_agreement, :read_privacy_terms)
+  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -11,6 +11,13 @@ class User < ApplicationRecord
 
   has_many :subscriptions
 
+  # GDPR sprinkles
+  attribute :tos_agreement
+  validates_acceptance_of :tos_agreement, :allow_nil => false, :on => :create
+
+  attribute :read_privacy_terms
+  validates_acceptance_of :read_privacy_terms, :allow_nil => false, :on => :create
+
   scope :with_current_subscription, -> {
     joins(:subscriptions).merge(Subscription.current)
   }

diff --git a/app/views/devise/registrations/new.html.haml b/app/views/devise/registrations/new.html.haml
@@ -14,6 +14,12 @@
   .field
     = f.label :password_confirmation
     = f.password_field :password_confirmation, autocomplete: "new-password"
+  .field
+    = f.label :tos_agreement
+    = f.check_box :tos_agreement
+  .field
+    = f.label :read_privacy_terms
+    = f.check_box :read_privacy_terms
   .actions
     = invisible_captcha :usernote
     = f.submit t('register.action'), class: 'button is-primary'

diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -41,6 +41,9 @@ de:
         name: Video-Name
         preview_image: Vorschau-Bild
         video: Video-Datei
+      user:
+        read_privacy_terms: Stimme AGB zu
+        tos_agreement: Datenschutzhinweise gelesen
     models:
       appointment:
         labels:

diff --git a/doc/knowledgebase.md b/doc/knowledgebase.md
@@ -19,6 +19,9 @@
     * [Video Players](#videoplayers)
     * [ffmpeg](#ffmpeg)
   + [Bulma](#bulma)
+  + [GDPR](#gdpr)
+    * [Policy agreements](#policy-agreements)
+    * [Rights on data](#rights-on-data)
 - [ActiveRecord](#activerecord)
 - [Licensing](#licensing)
 - [Known optimizabilities](#know-optimizabilities)
@@ -244,6 +247,29 @@ more, like [plyr](https://github.com/sampotts/plyr.)
 Nice and mostly responsive (be careful with `levels` and `media` elements).
 Custom color-types and shades could be implemented:
 https://github.com/jgthms/bulma/issues/2244 (undocumented)
+### GDPR
+
+#### Policy agreements
+
+Two separate policies have to be agreed to (technically, one has only to be
+taken notice of, there cannot be disagreement by click).
+
+As the policies might change, it is important to store the date of the consents.
+
+In order to force users to agree to the policies, the devises User model is
+adjusted to force acceptance via a checkbox. The agreement itself is not stored,
+but timestamped instead (column: ).
+
+After a valid login we have to redirect users to re-agree to the terms/policies
+if they are outdated. To do so there are at least two general approaches.
+
+#### Rights on data
+
+##### Deletion/anonymisation
+Anonymisation will be fine. Make sure to cover the emails as well.
+
+##### Export in machine-readable format
+JSON will do.
 
 
 ## ActiveRecord

diff --git a/test/system/tos_test.rb b/test/system/tos_test.rb
@@ -0,0 +1,59 @@
+# SPDX-FileCopyrightText: 2020 Felix Wolfsteller
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+require "application_system_test_case"
+require 'test_helper'
+
+class TosTest < ApplicationSystemTestCase
+  include Devise::Test::IntegrationHelpers
+
+  setup do
+    Rack::Attack.enabled = false
+  end
+
+  test "to sign up, user has to agree to TOS and have readprivacy statement" do
+    Rack::Attack.enabled = false
+
+    visit new_user_registration_url
+
+    fill_in "E-Mail",   with: '[email protected]'
+    fill_in "Passwort", with: '[email protected]'
+    fill_in "Passwortbestätigung", with: '[email protected]'
+
+    click_on "Für Schnupperwoche registrieren"
+
+    assert_selector '#error_explanation'
+
+    check('Datenschutzhinweise gelesen')
+
+    fill_in "Passwort", with: '[email protected]'
+    fill_in "Passwortbestätigung", with: '[email protected]'
+
+    click_on "Für Schnupperwoche registrieren"
+
+    assert_selector '#error_explanation'
+
+    check('Stimme AGB zu')
+
+    fill_in "Passwort", with: '[email protected]'
+    fill_in "Passwortbestätigung", with: '[email protected]'
+
+    click_on "Für Schnupperwoche registrieren"
+
+    assert_selector '.notification', text: /Sie erhalten in wenigen Minuten/
+  end
+
+  test "when signed up, dates of consent are saved in User model" do
+    skip "tbi"
+  end
+
+  test "when logging in and no consent was given, user is forced to agree or delete account" do
+    skip "tbi"
+  end
+
+  test "admins can update date of tos changes and user has to re-agree or delete account" do
+    skip "tbi"
+  end
+end
+