implemented positive opt in for GDPR

2018-03-07 13:55:25 +01:00
parent 0808884c9c
commit ad71e8ff0d
6 changed files with 107 additions and 1 deletions
--- a/rowers/middleware.py
+++ b/rowers/middleware.py
@@ -71,5 +71,30 @@ class PowerTimeFitnessMetricMiddleWare(object):
            result = do_update(request.user,mode='rower')
            result = do_update(request.user,mode='water')
        
+from django.shortcuts import redirect


+allowed_paths = [
+    '/rowers/me/delete',
+    '/',
+    '/logout',
+    '/logout/',
+    '/rowers/me/gdpr-optin/',
+    '/rowers/me/gdpr-optin-confirm/',
+    '/rowers/me/gdpr-optin',
+    '/rowers/me/gdpr-optin-confirm'
+    '/rowers/exportallworkouts/',
+    '/rowers/exportallworkouts',
+]
+
+class GDPRMiddleWare(object):
+    def process_request(self, request):
+        if request.user.is_authenticated() and request.path not in allowed_paths:
+            r = getrower(request.user)
+            nexturl = request.path
+            if 'optin' in nexturl:
+                nexturl = '/rowers/list-workouts'
+            if not r.gdproptin:
+                return redirect(
+                    '/rowers/me/gdpr-optin/?next=%s' % nexturl
+                )
--- a/rowers/models.py
+++ b/rowers/models.py
@@ -468,6 +468,8 @@ class Rower(models.Model):
        ('Yoga','Yoga'),
        )
    user = models.OneToOneField(User)
+    gdproptin = models.BooleanField(default=False)
+    gdproptindate = models.DateTimeField(blank=True,null=True)

    # Heart Rate Zone data
    max = models.IntegerField(default=192,verbose_name="Max Heart Rate")
--- a/rowers/templates/gdpr_optin.html
+++ b/rowers/templates/gdpr_optin.html
@@ -0,0 +1,49 @@
+{% extends "base.html" %}
+{% load staticfiles %}
+{% load rowerfilters %}
+
+{% block title %}GDPR Opt-In{% endblock %}
+
+{% block content %}
+<div class="grid_12">
+  <h2>GDPR Opt-In</h2>
+  <hr>
+  <p>
+    <b>
+      To comply with the European Union General Data Protection Regulation,
+      we need to record your consent to use personal data on this website.
+      Please take some time to review our data policies. If you agree and
+      opt in, click the green button at the bottom to be taken to the site.
+      If you do not agree, please use the red button to delete your
+      account. This will irreversibly delete all your data on rowsandall.com
+      and remove your account.
+    </b>
+  </p>
+
+  <p>
+    This paragraph will contain the data policy
+  </p>
+
+  <p>
+    <div class="grid_2 suffix_10 alpha">
+      <p>
+        <a class="button gray small" href="/rowers/exportallworkouts">Download your data</a>
+        </p>
+    </div>
+  </p>
+  
+  <div class="grid_2 alpha">
+    <a href="/rowers/me/gdpr-optin-confirm/?next={{ next }}" class="button green small">Opt in and continue</a>
+  </div>
+  <form method="POST" action="/rowers/me/delete" class="padding">
+    {% csrf_token %}
+    <input id="id_delete_user" type="hidden" name="delete_user" value="True">
+    <div class="grid_2 prefix_2">
+      <input class="button red small" type="submit" name="action" value="DELETE ACCOUNT">
+      
+    </div>
+  </form>
+
+</div>
+
+{% endblock %}
--- a/rowers/urls.py
+++ b/rowers/urls.py
@@ -121,7 +121,7 @@ urlpatterns = [
    url(r'^400/$', TemplateView.as_view(template_name='400.html'),name='400'),
    url(r'^403/$', TemplateView.as_view(template_name='403.html'),name='403'),
    url(r'^imports/$', TemplateView.as_view(template_name='imports.html'), name='imports'),
-    url(r'^exportallworkouts$',views.workouts_summaries_email_view),
+    url(r'^exportallworkouts/?$',views.workouts_summaries_email_view),
    url(r'^agegroupcp/(?P<age>\d+)$',views.agegroupcpview),
    url(r'^agegroupcp/(?P<age>\d+)/(?P<normalize>\d+)$',views.agegroupcpview),
    url(r'^ajax_agegroup/(?P<age>\d+)/(?P<weightcategory>\w+.*)/(?P<sex>\w+.*)/(?P<userid>\d+)$',
@@ -338,6 +338,8 @@ urlpatterns = [
    url(r'^user-multiflex-data$',views.multiflex_data),
    url(r'^me/deactivate$',views.deactivate_user),
    url(r'^me/delete$',views.remove_user),
+    url(r'^me/gdpr-optin-confirm/?$',views.user_gdpr_confirm),
+    url(r'^me/gdpr-optin/?$',views.user_gdpr_optin),
    url(r'^me/teams/$',views.rower_teams_view),
    url(r'^me/calcdps/$',views.rower_calcdps_view),
    url(r'^me/exportsettings/$',views.rower_exportsettings_view),
--- a/rowers/views.py
+++ b/rowers/views.py
@@ -594,6 +594,33 @@ def deactivate_user(request):
    else:
        raise PermissionDenied    

+@login_required()
+def user_gdpr_optin(request):
+    r = getrower(request.user)
+    r.gdproptin = False
+    r.gdproptindate = None
+    r.save()
+    nexturl = request.GET.get('next','/rowers/list-workouts/')
+    if r.gdproptin:
+        return HttpResponseRedirect(nexturl)
+
+    return render(request,'gdpr_optin.html',{
+        "next": nexturl
+        })
+
+@login_required()
+def user_gdpr_confirm(request):
+    r = getrower(request.user)
+    r.gdproptin = True
+    r.gdproptindate = timezone.now()
+    r.save()
+
+    nexturl = request.GET.get('next','/rowers/list-workouts/')
+
+    return HttpResponseRedirect(nexturl)
+                  
+        
+    
@login_required()
 def remove_user(request):
    pk = request.user.id
--- a/rowsandall_app/settings.py
+++ b/rowsandall_app/settings.py
@@ -94,6 +94,7 @@ MIDDLEWARE_CLASSES = [
    'async_messages.middleware.AsyncMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'tz_detect.middleware.TimezoneMiddleware',
+    'rowers.middleware.GDPRMiddleWare',
    'rowers.middleware.PowerTimeFitnessMetricMiddleWare',
 ]