From 351947c674b5505fdaf8935bf7c25c8721a8f1b0 Mon Sep 17 00:00:00 2001 From: Felix Wolfsteller Date: Tue, 22 Sep 2020 20:05:40 +0200 Subject: [PATCH] add tos_agreement and privacy terms on registration tackling GDPR Stuff #13 . --- app/controllers/registrations_controller.rb | 6 ++ app/models/user.rb | 7 +++ app/views/devise/registrations/new.html.haml | 6 ++ config/locales/de.yml | 3 + doc/knowledgebase.md | 26 +++++++++ test/system/tos_test.rb | 59 ++++++++++++++++++++ 6 files changed, 107 insertions(+) create mode 100644 test/system/tos_test.rb diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb index bafc8f6..6abd1f1 100644 --- a/app/controllers/registrations_controller.rb +++ b/app/controllers/registrations_controller.rb @@ -11,4 +11,10 @@ def create AdminMailer.new_registration(@user).deliver_later end end + + protected + + def sign_up_params + params.require(:user).permit(:email, :password, :password_confirmation, :tos_agreement, :read_privacy_terms) + end end diff --git a/app/models/user.rb b/app/models/user.rb index 6fbe47d..ed8d3cb 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -11,6 +11,13 @@ class User < ApplicationRecord has_many :subscriptions + # GDPR sprinkles + attribute :tos_agreement + validates_acceptance_of :tos_agreement, :allow_nil => false, :on => :create + + attribute :read_privacy_terms + validates_acceptance_of :read_privacy_terms, :allow_nil => false, :on => :create + scope :with_current_subscription, -> { joins(:subscriptions).merge(Subscription.current) } diff --git a/app/views/devise/registrations/new.html.haml b/app/views/devise/registrations/new.html.haml index 51b8c2d..9fe9182 100644 --- a/app/views/devise/registrations/new.html.haml +++ b/app/views/devise/registrations/new.html.haml @@ -14,6 +14,12 @@ .field = f.label :password_confirmation = f.password_field :password_confirmation, autocomplete: "new-password" + .field + = f.label :tos_agreement + = f.check_box :tos_agreement + .field + = f.label :read_privacy_terms + = f.check_box :read_privacy_terms .actions = invisible_captcha :usernote = f.submit t('register.action'), class: 'button is-primary' diff --git a/config/locales/de.yml b/config/locales/de.yml index e1b00ed..ea06a58 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -41,6 +41,9 @@ de: name: Video-Name preview_image: Vorschau-Bild video: Video-Datei + user: + read_privacy_terms: Stimme AGB zu + tos_agreement: Datenschutzhinweise gelesen models: appointment: labels: diff --git a/doc/knowledgebase.md b/doc/knowledgebase.md index 7966851..9e88248 100644 --- a/doc/knowledgebase.md +++ b/doc/knowledgebase.md @@ -19,6 +19,9 @@ * [Video Players](#videoplayers) * [ffmpeg](#ffmpeg) + [Bulma](#bulma) + + [GDPR](#gdpr) + * [Policy agreements](#policy-agreements) + * [Rights on data](#rights-on-data) - [ActiveRecord](#activerecord) - [Licensing](#licensing) - [Known optimizabilities](#know-optimizabilities) @@ -244,6 +247,29 @@ more, like [plyr](https://github.com/sampotts/plyr.) Nice and mostly responsive (be careful with `levels` and `media` elements). Custom color-types and shades could be implemented: https://github.com/jgthms/bulma/issues/2244 (undocumented) +### GDPR + +#### Policy agreements + +Two separate policies have to be agreed to (technically, one has only to be +taken notice of, there cannot be disagreement by click). + +As the policies might change, it is important to store the date of the consents. + +In order to force users to agree to the policies, the devises User model is +adjusted to force acceptance via a checkbox. The agreement itself is not stored, +but timestamped instead (column: ). + +After a valid login we have to redirect users to re-agree to the terms/policies +if they are outdated. To do so there are at least two general approaches. + +#### Rights on data + +##### Deletion/anonymisation +Anonymisation will be fine. Make sure to cover the emails as well. + +##### Export in machine-readable format +JSON will do. ## ActiveRecord diff --git a/test/system/tos_test.rb b/test/system/tos_test.rb new file mode 100644 index 0000000..ba0aac6 --- /dev/null +++ b/test/system/tos_test.rb @@ -0,0 +1,59 @@ +# SPDX-FileCopyrightText: 2020 Felix Wolfsteller +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +require "application_system_test_case" +require 'test_helper' + +class TosTest < ApplicationSystemTestCase + include Devise::Test::IntegrationHelpers + + setup do + Rack::Attack.enabled = false + end + + test "to sign up, user has to agree to TOS and have readprivacy statement" do + Rack::Attack.enabled = false + + visit new_user_registration_url + + fill_in "E-Mail", with: 'my@ma.il' + fill_in "Passwort", with: 'my@ma.il' + fill_in "Passwortbestätigung", with: 'my@ma.il' + + click_on "Für Schnupperwoche registrieren" + + assert_selector '#error_explanation' + + check('Datenschutzhinweise gelesen') + + fill_in "Passwort", with: 'my@ma.il' + fill_in "Passwortbestätigung", with: 'my@ma.il' + + click_on "Für Schnupperwoche registrieren" + + assert_selector '#error_explanation' + + check('Stimme AGB zu') + + fill_in "Passwort", with: 'my@ma.il' + fill_in "Passwortbestätigung", with: 'my@ma.il' + + click_on "Für Schnupperwoche registrieren" + + assert_selector '.notification', text: /Sie erhalten in wenigen Minuten/ + end + + test "when signed up, dates of consent are saved in User model" do + skip "tbi" + end + + test "when logging in and no consent was given, user is forced to agree or delete account" do + skip "tbi" + end + + test "admins can update date of tos changes and user has to re-agree or delete account" do + skip "tbi" + end +end +