Re-trigger consent to privacy statement when they change or when user changes institutions

Bug #1734174 reported by Kristina Hoeppner on 2017-11-23
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Wishlist
Maria Sorica

Bug Description

We need to make a series of changes in Mahara to comply with the GDPR. More info is available on the wiki at https://wiki.mahara.org/wiki/Developer_Area/Specifications_in_Development/GDPR_compliance

The following should be possible:

1. When site privacy statement changes, user needs to accept it again.
2. When institution privacy statement changes, members of the institution need to accept it again.
3. When user joins a new institution, they need to agree to the new institution's privacy statement.

If only site or institution privacy statement changes, the user should still be presented with the site and institution privacy statement but it should be clear which section has changed, e.g. show the institution privacy statement in a non-retracted panel but the site privacy statement in a retracted panel so they can read them again, but it's clear which section needs approval.

This also means that the T&C need to be shown when a new user joins Mahara via any auth method.

Mark Webster (mark-webster-v) wrote :

Changes proposed:

1. Create new DB table ("usr_terms"?) with fields - id[PK], usr, institution, version, time. Will contain reference to site_terms (see bug #1734182) version field of T&C version each user has agreed to for each relevant insitution, and the time they agreed to them.

3. Upon login, fetch most recent T&C version from site_terms, compare with version stored in usr_terms.

2. Redirect users to page to accept updated T&C.

    * Page to list all applicable T&C (site and institutions) in expandable panels.
    * Not yet agreed to (first visit, new institution membership, or T&C updated) T&C panels
      will be expanded.
    * Panels containing T&C already agreed to will be collapsed.
    * Single "Accept" button for accepting all terms.
    * Single "Do not accept" button which, when clicked, will notify relevant admins
      (site and istitution) for further investigation.

3. No other site pages will be accessible until user has agreed to T&C.

Changed in mahara:
assignee: nobody → Maria Sorica (maria-sorica)

For new users, if someone doesn't accept the T&C, no account will be created.

We'll also need to keep in mind that we'll need consent buttons (at least as far as I can see; you can check with Peter on that in the UK time zone).

Please check with Robert about the technical changes.

changed the wording to mean "privacy statement" in the description rather than T&C as that is the immediate change that is required.

summary: - Re-trigger consent and agreement to T&C when they change or when user
+ Re-trigger consent to privacy statement when they change or when user
changes institutions
description: updated
Changed in mahara:
status: Confirmed → In Progress
Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/8417

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/8423

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/8428

Changed in mahara:
status: In Progress → Fix Committed

Reviewed: https://reviews.mahara.org/8417
Committed: https://git.mahara.org/mahara/mahara/commit/dece7ed938d8ccf6f133a6fadfbfe651b28341e7
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit dece7ed938d8ccf6f133a6fadfbfe651b28341e7
Author: Maria Sorica <email address hidden>
Date: Mon Jan 8 14:31:53 2018 +0000

Bug 1734174: Create usr_agreement table

behatnotneeded

Change-Id: Ibd10a64a601a38ed88a4c49ce720f0d343d1fe83

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8408
Committed: https://git.mahara.org/mahara/mahara/commit/9cfbb97a9df1c8a6755dff7583518d7354045562
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 9cfbb97a9df1c8a6755dff7583518d7354045562
Author: Maria Sorica <email address hidden>
Date: Fri Jan 5 15:49:16 2018 +0000

Bug 1734174: Users Privacy Statement page

The page displays the current privacy statement that the user has consented to.
behatnotneeded

Change-Id: I03d79f538b0a3775cf49c0ed39a05b3a98c8bf04

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8423
Committed: https://git.mahara.org/mahara/mahara/commit/44a6284e294956ef19430fccec0b2957e4323e11
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 44a6284e294956ef19430fccec0b2957e4323e11
Author: Maria Sorica <email address hidden>
Date: Thu Jan 11 17:33:12 2018 +0000

Bug 1734174: Add the after login privacy page

Upon login, if the user has not yet agreed to the most
recent Privacy statement versions, he will be redirected
to this page.

On install admin user accepts default privacy

behatnotneeded

Change-Id: I6afc3d4d4db0676782a8b1501a962862108eab6b

tags: added: nominatedfeature
Robert Lyon (robertl-9) on 2018-04-05
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers