Add config variables for enabling terms auth and the policy name (#4142)

So people can still collect consent the old way if they want to.
This commit is contained in:
Travis Ralston 2018-11-06 03:32:34 -07:00 committed by Richard van der Hoff
parent f1087106cf
commit 0f5e51f726
10 changed files with 65 additions and 11 deletions

View file

@ -1 +1 @@
Add `m.login.terms` to the registration flow when consent tracking is enabled. **This makes the template arguments conditionally optional on a new `public_version` variable - update your privacy templates to support this.** Include flags to optionally add `m.login.terms` to the registration flow when consent tracking is enabled.

View file

@ -1 +1 @@
Add `m.login.terms` to the registration flow when consent tracking is enabled. **This makes the template arguments conditionally optional on a new `public_version` variable - update your privacy templates to support this.** Include flags to optionally add `m.login.terms` to the registration flow when consent tracking is enabled.

1
changelog.d/4142.feature Normal file
View file

@ -0,0 +1 @@
Include flags to optionally add `m.login.terms` to the registration flow when consent tracking is enabled.

View file

@ -81,9 +81,40 @@ should be a matter of `pip install Jinja2`. On debian, try `apt-get install
python-jinja2`. python-jinja2`.
Once this is complete, and the server has been restarted, try visiting Once this is complete, and the server has been restarted, try visiting
`https://<server>/_matrix/consent`. If correctly configured, you should see a `https://<server>/_matrix/consent`. If correctly configured, this should give
default policy document. It is now possible to manually construct URIs where an error "Missing string query parameter 'u'". It is now possible to manually
users can give their consent. construct URIs where users can give their consent.
### Enabling consent tracking at registration
1. Add the following to your configuration:
```yaml
user_consent:
require_at_registration: true
policy_name: "Privacy Policy" # or whatever you'd like to call the policy
```
2. In your consent templates, make use of the `public_version` variable to
see if an unauthenticated user is viewing the page. This is typically
wrapped around the form that would be used to actually agree to the document:
```
{% if not public_version %}
<!-- The variables used here are only provided when the 'u' param is given to the homeserver -->
<form method="post" action="consent">
<input type="hidden" name="v" value="{{version}}"/>
<input type="hidden" name="u" value="{{user}}"/>
<input type="hidden" name="h" value="{{userhmac}}"/>
<input type="submit" value="Sure thing!"/>
</form>
{% endif %}
```
3. Restart Synapse to apply the changes.
Visiting `https://<server>/_matrix/consent` should now give you a view of the privacy
document. This is what users will be able to see when registering for accounts.
### Constructing the consent URI ### Constructing the consent URI
@ -108,7 +139,8 @@ query parameters:
Note that not providing a `u` parameter will be interpreted as wanting to view Note that not providing a `u` parameter will be interpreted as wanting to view
the document from an unauthenticated perspective, such as prior to registration. the document from an unauthenticated perspective, such as prior to registration.
Therefore, the `h` parameter is not required in this scenario. Therefore, the `h` parameter is not required in this scenario. To enable this
behaviour, set `require_at_registration` to `true` in your `user_consent` config.
Sending users a server notice asking them to agree to the policy Sending users a server notice asking them to agree to the policy

View file

@ -42,6 +42,14 @@ DEFAULT_CONFIG = """\
# until the user consents to the privacy policy. The value of the setting is # until the user consents to the privacy policy. The value of the setting is
# used as the text of the error. # used as the text of the error.
# #
# 'require_at_registration', if enabled, will add a step to the registration
# process, similar to how captcha works. Users will be required to accept the
# policy before their account is created.
#
# 'policy_name' is the display name of the policy users will see when registering
# for an account. Has no effect unless `require_at_registration` is enabled.
# Defaults to "Privacy Policy".
#
# user_consent: # user_consent:
# template_dir: res/templates/privacy # template_dir: res/templates/privacy
# version: 1.0 # version: 1.0
@ -54,6 +62,8 @@ DEFAULT_CONFIG = """\
# block_events_error: >- # block_events_error: >-
# To continue using this homeserver you must review and agree to the # To continue using this homeserver you must review and agree to the
# terms and conditions at %(consent_uri)s # terms and conditions at %(consent_uri)s
# require_at_registration: False
# policy_name: Privacy Policy
# #
""" """
@ -67,6 +77,8 @@ class ConsentConfig(Config):
self.user_consent_server_notice_content = None self.user_consent_server_notice_content = None
self.user_consent_server_notice_to_guests = False self.user_consent_server_notice_to_guests = False
self.block_events_without_consent_error = None self.block_events_without_consent_error = None
self.user_consent_at_registration = False
self.user_consent_policy_name = "Privacy Policy"
def read_config(self, config): def read_config(self, config):
consent_config = config.get("user_consent") consent_config = config.get("user_consent")
@ -83,6 +95,12 @@ class ConsentConfig(Config):
self.user_consent_server_notice_to_guests = bool(consent_config.get( self.user_consent_server_notice_to_guests = bool(consent_config.get(
"send_server_notice_to_guests", False, "send_server_notice_to_guests", False,
)) ))
self.user_consent_at_registration = bool(consent_config.get(
"require_at_registration", False,
))
self.user_consent_policy_name = consent_config.get(
"policy_name", "Privacy Policy",
)
def default_config(self, **kwargs): def default_config(self, **kwargs):
return DEFAULT_CONFIG return DEFAULT_CONFIG

View file

@ -472,7 +472,7 @@ class AuthHandler(BaseHandler):
"privacy_policy": { "privacy_policy": {
"version": self.hs.config.user_consent_version, "version": self.hs.config.user_consent_version,
"en": { "en": {
"name": "Privacy Policy", "name": self.hs.config.user_consent_policy_name,
"url": "%s/_matrix/consent?v=%s" % ( "url": "%s/_matrix/consent?v=%s" % (
self.hs.config.public_baseurl, self.hs.config.public_baseurl,
self.hs.config.user_consent_version, self.hs.config.user_consent_version,

View file

@ -360,7 +360,7 @@ class RegisterRestServlet(RestServlet):
]) ])
# Append m.login.terms to all flows if we're requiring consent # Append m.login.terms to all flows if we're requiring consent
if self.hs.config.block_events_without_consent_error is not None: if self.hs.config.user_consent_at_registration:
new_flows = [] new_flows = []
for flow in flows: for flow in flows:
flow.append(LoginType.TERMS) flow.append(LoginType.TERMS)

View file

@ -142,7 +142,7 @@ class ConsentResource(Resource):
userhmac = None userhmac = None
has_consented = False has_consented = False
public_version = username == "" public_version = username == ""
if not public_version: if not public_version or not self.hs.config.user_consent_at_registration:
userhmac = parse_string(request, "h", required=True, encoding=None) userhmac = parse_string(request, "h", required=True, encoding=None)
self._check_hash(username, userhmac) self._check_hash(username, userhmac)

View file

@ -42,7 +42,8 @@ class TermsTestCase(unittest.HomeserverTestCase):
hs.config.enable_registration_captcha = False hs.config.enable_registration_captcha = False
def test_ui_auth(self): def test_ui_auth(self):
self.hs.config.block_events_without_consent_error = True self.hs.config.user_consent_at_registration = True
self.hs.config.user_consent_policy_name = "My Cool Privacy Policy"
self.hs.config.public_baseurl = "https://example.org" self.hs.config.public_baseurl = "https://example.org"
self.hs.config.user_consent_version = "1.0" self.hs.config.user_consent_version = "1.0"
@ -66,7 +67,7 @@ class TermsTestCase(unittest.HomeserverTestCase):
"policies": { "policies": {
"privacy_policy": { "privacy_policy": {
"en": { "en": {
"name": "Privacy Policy", "name": "My Cool Privacy Policy",
"url": "https://example.org/_matrix/consent?v=1.0", "url": "https://example.org/_matrix/consent?v=1.0",
}, },
"version": "1.0" "version": "1.0"

View file

@ -123,6 +123,8 @@ def default_config(name):
config.user_directory_search_all_users = False config.user_directory_search_all_users = False
config.user_consent_server_notice_content = None config.user_consent_server_notice_content = None
config.block_events_without_consent_error = None config.block_events_without_consent_error = None
config.user_consent_at_registration = False
config.user_consent_policy_name = "Privacy Policy"
config.media_storage_providers = [] config.media_storage_providers = []
config.autocreate_auto_join_rooms = True config.autocreate_auto_join_rooms = True
config.auto_join_rooms = [] config.auto_join_rooms = []