Server: [Feature Request] something for the GDPR'ish compliance and something I would like

Created on 4 Jun 2018 · 4Comments · Source: nextcloud/server

As are many people in IT right now, I'm convinced I don't know if I'm GDPR ready, but I like it and want to be ready on principle. I think I understood that getting positive confirmation from users that they accept the Terms of Service and Privacy Policy is a requirement—as well as—the two agreements don't break the GDPR or other laws.

How about in the Theming settings for Admin, you add two new checkboxes for the Legal notice link and the Privacy policy link for Required? They would have corresponding checkboxes on the /index.php/login page adjacent to the Legal notice and Privacy policy links in the page footer to indicate acceptance; they would appear if the Required was checked. The fields for account sign-up or Username & Password would be deactivated until the user visiting the login page complied by checking the boxes to indicate they accept. Those values could be cookie stored so that each time a user returned, they would just login without re-checking them. Also on the Admin settings for the Legal notice link and the Privacy policy link would be a button to create a new random string to indicate that the ToS or PP had changed, and the new code wouldn't match the one in the cookie so the user would need to re-accept the changed document.

As for something I would like...

First off, it bugs me that the link attribute "target=" for Web link, Legal notice link and the Privacy policy link are all _"_blank"_ where I prefer _"_top"_ in my case. I looked around and didn't see where to hack it to my way.

Another thing that bugged me was, it was troublesome trying to make an aptly themed page for my ToS and PP. I stole the code from the login page via view source and then tinkered with it to make my pages.

screenshot_tos_2018-06-03_20-20-06

screenshot_pp_2018-06-03_20-20-17

I basically took out the <form> block for the login and put a <textarea disabled readonly name="text???"> block for the content right above the <footer> block. The style for mine comes from;

<style> 
textarea {
    width: 66.6%;
    height: 456px;
    padding: 12px 20px;
    box-sizing: border-box;
    border: 2px solid #ccc;
    border-radius: 4px;
    background-color: #8b50d8;
    font-size: 16px;
    color: white;
    resize: none;
}
</style>

put just inside the <head> block.

_CERTIANLY_ you could do even better than that though. Perhaps you could have a place for the admin to dump the HTML content for the ToS and PP so instead of links to the pages, it's just right there repalcing the login block with the document (_or some pop-up thingie_). And if it's from a built in area, the revision control could be automated so that random string I mentioned above would happen if even a jot or a tittle were changed by the Admin.

0. Needs triage enhancement needs info

Source

WNYmathGuy

👍1

Most helpful comment

This is more something for the terms of service app https://github.com/nextcloud/terms_of_service/

Right now it will show the ToS after login, so if that doesn't suite your usecase a new feature request should be opened in the apps repo.

juliushaertl on 18 Aug 2019

👍2

All 4 comments

cc @blizzz @jospoortvliet

MorrisJobke on 5 Jun 2018

We're working on a solution to specifically ask for consent as a separate app. Normally, you only need that for user data storage that goes beyond what you need to provide the service to them. So for example, to log in they need a cookie, so you don't have to ask for consent for that cookie: you wouldn't be able to log them in otherwise. Just put it in the privacy policy.

But if you store a cookie to track them for advertising you need consent, which will be possible in Nextcloud 14.

Have no opinions on the _blank vs _top ;-)