From ad71e8ff0d95bda5548e4bbdbe2a37ebc16ab7d9 Mon Sep 17 00:00:00 2001 From: Sander Roosendaal Date: Wed, 7 Mar 2018 13:55:25 +0100 Subject: [PATCH] implemented positive opt in for GDPR --- rowers/middleware.py | 25 ++++++++++++++++ rowers/models.py | 2 ++ rowers/templates/gdpr_optin.html | 49 ++++++++++++++++++++++++++++++++ rowers/urls.py | 4 ++- rowers/views.py | 27 ++++++++++++++++++ rowsandall_app/settings.py | 1 + 6 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 rowers/templates/gdpr_optin.html diff --git a/rowers/middleware.py b/rowers/middleware.py index e9c90956..c87c6c44 100644 --- a/rowers/middleware.py +++ b/rowers/middleware.py @@ -71,5 +71,30 @@ class PowerTimeFitnessMetricMiddleWare(object): result = do_update(request.user,mode='rower') result = do_update(request.user,mode='water') +from django.shortcuts import redirect +allowed_paths = [ + '/rowers/me/delete', + '/', + '/logout', + '/logout/', + '/rowers/me/gdpr-optin/', + '/rowers/me/gdpr-optin-confirm/', + '/rowers/me/gdpr-optin', + '/rowers/me/gdpr-optin-confirm' + '/rowers/exportallworkouts/', + '/rowers/exportallworkouts', +] + +class GDPRMiddleWare(object): + def process_request(self, request): + if request.user.is_authenticated() and request.path not in allowed_paths: + r = getrower(request.user) + nexturl = request.path + if 'optin' in nexturl: + nexturl = '/rowers/list-workouts' + if not r.gdproptin: + return redirect( + '/rowers/me/gdpr-optin/?next=%s' % nexturl + ) diff --git a/rowers/models.py b/rowers/models.py index 99117e5a..f9d89468 100644 --- a/rowers/models.py +++ b/rowers/models.py @@ -468,6 +468,8 @@ class Rower(models.Model): ('Yoga','Yoga'), ) user = models.OneToOneField(User) + gdproptin = models.BooleanField(default=False) + gdproptindate = models.DateTimeField(blank=True,null=True) # Heart Rate Zone data max = models.IntegerField(default=192,verbose_name="Max Heart Rate") diff --git a/rowers/templates/gdpr_optin.html b/rowers/templates/gdpr_optin.html new file mode 100644 index 00000000..532dd59f --- /dev/null +++ b/rowers/templates/gdpr_optin.html @@ -0,0 +1,49 @@ +{% extends "base.html" %} +{% load staticfiles %} +{% load rowerfilters %} + +{% block title %}GDPR Opt-In{% endblock %} + +{% block content %} +
+

GDPR Opt-In

+
+

+ + To comply with the European Union General Data Protection Regulation, + we need to record your consent to use personal data on this website. + Please take some time to review our data policies. If you agree and + opt in, click the green button at the bottom to be taken to the site. + If you do not agree, please use the red button to delete your + account. This will irreversibly delete all your data on rowsandall.com + and remove your account. + +

+ +

+ This paragraph will contain the data policy +

+ +

+

+

+ Download your data +

+
+

+ +
+ Opt in and continue +
+
+ {% csrf_token %} + +
+ + +
+
+ +
+ +{% endblock %} diff --git a/rowers/urls.py b/rowers/urls.py index c642adc2..71c4b6fd 100644 --- a/rowers/urls.py +++ b/rowers/urls.py @@ -121,7 +121,7 @@ urlpatterns = [ url(r'^400/$', TemplateView.as_view(template_name='400.html'),name='400'), url(r'^403/$', TemplateView.as_view(template_name='403.html'),name='403'), url(r'^imports/$', TemplateView.as_view(template_name='imports.html'), name='imports'), - url(r'^exportallworkouts$',views.workouts_summaries_email_view), + url(r'^exportallworkouts/?$',views.workouts_summaries_email_view), url(r'^agegroupcp/(?P\d+)$',views.agegroupcpview), url(r'^agegroupcp/(?P\d+)/(?P\d+)$',views.agegroupcpview), url(r'^ajax_agegroup/(?P\d+)/(?P\w+.*)/(?P\w+.*)/(?P\d+)$', @@ -338,6 +338,8 @@ urlpatterns = [ url(r'^user-multiflex-data$',views.multiflex_data), url(r'^me/deactivate$',views.deactivate_user), url(r'^me/delete$',views.remove_user), + url(r'^me/gdpr-optin-confirm/?$',views.user_gdpr_confirm), + url(r'^me/gdpr-optin/?$',views.user_gdpr_optin), url(r'^me/teams/$',views.rower_teams_view), url(r'^me/calcdps/$',views.rower_calcdps_view), url(r'^me/exportsettings/$',views.rower_exportsettings_view), diff --git a/rowers/views.py b/rowers/views.py index cda3a8e2..c341e611 100644 --- a/rowers/views.py +++ b/rowers/views.py @@ -594,6 +594,33 @@ def deactivate_user(request): else: raise PermissionDenied +@login_required() +def user_gdpr_optin(request): + r = getrower(request.user) + r.gdproptin = False + r.gdproptindate = None + r.save() + nexturl = request.GET.get('next','/rowers/list-workouts/') + if r.gdproptin: + return HttpResponseRedirect(nexturl) + + return render(request,'gdpr_optin.html',{ + "next": nexturl + }) + +@login_required() +def user_gdpr_confirm(request): + r = getrower(request.user) + r.gdproptin = True + r.gdproptindate = timezone.now() + r.save() + + nexturl = request.GET.get('next','/rowers/list-workouts/') + + return HttpResponseRedirect(nexturl) + + + @login_required() def remove_user(request): pk = request.user.id diff --git a/rowsandall_app/settings.py b/rowsandall_app/settings.py index 052f2af4..e8d1f0b9 100644 --- a/rowsandall_app/settings.py +++ b/rowsandall_app/settings.py @@ -94,6 +94,7 @@ MIDDLEWARE_CLASSES = [ 'async_messages.middleware.AsyncMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'tz_detect.middleware.TimezoneMiddleware', + 'rowers.middleware.GDPRMiddleWare', 'rowers.middleware.PowerTimeFitnessMetricMiddleWare', ]