From 7b1ce92713b32058c32417db5b5286a835821821 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Fri, 2 Nov 2018 13:30:51 -0600 Subject: [PATCH 1/6] Add config variables for enabling terms auth and the policy name So people can still collect consent the old way if they want to. --- synapse/config/consent_config.py | 18 ++++++++++++++++++ synapse/handlers/auth.py | 2 +- synapse/rest/consent/consent_resource.py | 2 +- tests/test_terms_auth.py | 5 +++-- tests/utils.py | 2 ++ 5 files changed, 25 insertions(+), 4 deletions(-) diff --git a/synapse/config/consent_config.py b/synapse/config/consent_config.py index e22c731aadec..6ec8e9b0c498 100644 --- a/synapse/config/consent_config.py +++ b/synapse/config/consent_config.py @@ -42,6 +42,14 @@ # until the user consents to the privacy policy. The value of the setting is # used as the text of the error. # +# 'require_at_registration', if enabled, will add a step to the registration +# process, similar to how captcha works. Users will be required to accept the +# policy before their account is created. +# +# 'policy_name' is the name of the policy users will see when registering for +# an account. Defaults to "Privacy Policy" and requires require_at_registration +# to be enabled. +# # user_consent: # template_dir: res/templates/privacy # version: 1.0 @@ -54,6 +62,8 @@ # block_events_error: >- # To continue using this homeserver you must review and agree to the # terms and conditions at %(consent_uri)s +# require_at_registration: False +# policy_name: Privacy Policy # """ @@ -67,6 +77,8 @@ def __init__(self): self.user_consent_server_notice_content = None self.user_consent_server_notice_to_guests = False self.block_events_without_consent_error = None + self.user_consent_at_registration = False + self.user_consent_policy_name = "Privacy Policy" def read_config(self, config): consent_config = config.get("user_consent") @@ -83,6 +95,12 @@ def read_config(self, config): self.user_consent_server_notice_to_guests = bool(consent_config.get( "send_server_notice_to_guests", False, )) + self.user_consent_at_registration = bool(consent_config.get( + "require_at_registration", False, + )) + self.user_consent_policy_name = consent_config.get( + "policy_name", "Privacy Policy", + ) def default_config(self, **kwargs): return DEFAULT_CONFIG diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index 85fc1fc52521..a958c45271fd 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -472,7 +472,7 @@ def _get_params_terms(self): "privacy_policy": { "version": self.hs.config.user_consent_version, "en": { - "name": "Privacy Policy", + "name": self.hs.config.user_consent_policy_name, "url": "%s/_matrix/consent?v=%s" % ( self.hs.config.public_baseurl, self.hs.config.user_consent_version, diff --git a/synapse/rest/consent/consent_resource.py b/synapse/rest/consent/consent_resource.py index 89b82b059117..39ace410192a 100644 --- a/synapse/rest/consent/consent_resource.py +++ b/synapse/rest/consent/consent_resource.py @@ -142,7 +142,7 @@ def _async_render_GET(self, request): userhmac = None has_consented = False public_version = username == "" - if not public_version: + if not public_version or not self.hs.config.user_consent_at_registration: userhmac = parse_string(request, "h", required=True, encoding=None) self._check_hash(username, userhmac) diff --git a/tests/test_terms_auth.py b/tests/test_terms_auth.py index 7deab5266f2f..0b71c6feb900 100644 --- a/tests/test_terms_auth.py +++ b/tests/test_terms_auth.py @@ -42,7 +42,8 @@ def prepare(self, reactor, clock, hs): hs.config.enable_registration_captcha = False def test_ui_auth(self): - self.hs.config.block_events_without_consent_error = True + self.hs.config.user_consent_at_registration = True + self.hs.config.user_consent_policy_name = "My Cool Privacy Policy" self.hs.config.public_baseurl = "https://example.org" self.hs.config.user_consent_version = "1.0" @@ -66,7 +67,7 @@ def test_ui_auth(self): "policies": { "privacy_policy": { "en": { - "name": "Privacy Policy", + "name": "My Cool Privacy Policy", "url": "https://example.org/_matrix/consent?v=1.0", }, "version": "1.0" diff --git a/tests/utils.py b/tests/utils.py index 565bb60d0882..67ab916f30a3 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -123,6 +123,8 @@ def default_config(name): config.user_directory_search_all_users = False config.user_consent_server_notice_content = None config.block_events_without_consent_error = None + config.user_consent_at_registration = False + config.user_consent_policy_name = "Privacy Policy" config.media_storage_providers = [] config.autocreate_auto_join_rooms = True config.auto_join_rooms = [] From 73f5f559e76cb4b00eb37dcf617ba7fae721b63e Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Fri, 2 Nov 2018 13:35:11 -0600 Subject: [PATCH 2/6] Changelog --- changelog.d/4142.feature | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/4142.feature diff --git a/changelog.d/4142.feature b/changelog.d/4142.feature new file mode 100644 index 000000000000..0877791565cd --- /dev/null +++ b/changelog.d/4142.feature @@ -0,0 +1 @@ +Add configuration options for enabling consent at registration and changing the policy name. From 5f9c5a0540af3b0e6b8039c4ce93b20b3ee307c0 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Fri, 2 Nov 2018 13:47:22 -0600 Subject: [PATCH 3/6] Actually use the new flag that was introduced --- synapse/rest/client/v2_alpha/register.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/synapse/rest/client/v2_alpha/register.py b/synapse/rest/client/v2_alpha/register.py index c5214330ada4..0515715f7c4a 100644 --- a/synapse/rest/client/v2_alpha/register.py +++ b/synapse/rest/client/v2_alpha/register.py @@ -360,7 +360,7 @@ def on_POST(self, request): ]) # Append m.login.terms to all flows if we're requiring consent - if self.hs.config.block_events_without_consent_error is not None: + if self.hs.config.user_consent_at_registration: new_flows = [] for flow in flows: flow.append(LoginType.TERMS) From 5685a63e5137fa337dbc15361bbea3d1db55a1a2 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 5 Nov 2018 14:28:12 -0700 Subject: [PATCH 4/6] Combine and update changelog entries --- changelog.d/4004.feature | 2 +- changelog.d/4133.feature | 2 +- changelog.d/4142.feature | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/changelog.d/4004.feature b/changelog.d/4004.feature index ef5cdaf5ec6c..89975f4c6e56 100644 --- a/changelog.d/4004.feature +++ b/changelog.d/4004.feature @@ -1 +1 @@ -Add `m.login.terms` to the registration flow when consent tracking is enabled. **This makes the template arguments conditionally optional on a new `public_version` variable - update your privacy templates to support this.** +Include flags to optionally add `m.login.terms` to the registration flow when consent tracking is enabled. diff --git a/changelog.d/4133.feature b/changelog.d/4133.feature index ef5cdaf5ec6c..89975f4c6e56 100644 --- a/changelog.d/4133.feature +++ b/changelog.d/4133.feature @@ -1 +1 @@ -Add `m.login.terms` to the registration flow when consent tracking is enabled. **This makes the template arguments conditionally optional on a new `public_version` variable - update your privacy templates to support this.** +Include flags to optionally add `m.login.terms` to the registration flow when consent tracking is enabled. diff --git a/changelog.d/4142.feature b/changelog.d/4142.feature index 0877791565cd..89975f4c6e56 100644 --- a/changelog.d/4142.feature +++ b/changelog.d/4142.feature @@ -1 +1 @@ -Add configuration options for enabling consent at registration and changing the policy name. +Include flags to optionally add `m.login.terms` to the registration flow when consent tracking is enabled. From 3e37ad3328409accff71689ec91666778ed1b04d Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 5 Nov 2018 14:28:26 -0700 Subject: [PATCH 5/6] Update docs for how consent tracking works --- docs/consent_tracking.md | 40 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/docs/consent_tracking.md b/docs/consent_tracking.md index 3634d13d4fc0..c586b5f0b67c 100644 --- a/docs/consent_tracking.md +++ b/docs/consent_tracking.md @@ -81,9 +81,40 @@ should be a matter of `pip install Jinja2`. On debian, try `apt-get install python-jinja2`. Once this is complete, and the server has been restarted, try visiting -`https:///_matrix/consent`. If correctly configured, you should see a -default policy document. It is now possible to manually construct URIs where -users can give their consent. +`https:///_matrix/consent`. If correctly configured, this should give +an error "Missing string query parameter 'u'". It is now possible to manually +construct URIs where users can give their consent. + +### Enabling consent tracking at registration + +1. Add the following to your configuration: + + ```yaml + user_consent: + require_at_registration: true + policy_name: "Privacy Policy" # or whatever you'd like to call the policy + ``` + +2. In your consent templates, make use of the `public_version` variable to + see if an unauthenticated user is viewing the page. This is typically + wrapped around the form that would be used to actually agree to the document: + + ``` + {% if not public_version %} + +
+ + + + +
+ {% endif %} + ``` + +3. Restart Synapse to apply the changes. + +Visiting `https:///_matrix/consent` should now give you a view of the privacy +document. This is what users will be able to see when registering for accounts. ### Constructing the consent URI @@ -108,7 +139,8 @@ query parameters: Note that not providing a `u` parameter will be interpreted as wanting to view the document from an unauthenticated perspective, such as prior to registration. -Therefore, the `h` parameter is not required in this scenario. +Therefore, the `h` parameter is not required in this scenario. To enable this +behaviour, set `require_at_registration` to `true` in your `user_consent` config. Sending users a server notice asking them to agree to the policy From 8b66e9c84b1953d4eb0215ced98434b79557f8f3 Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Mon, 5 Nov 2018 14:28:35 -0700 Subject: [PATCH 6/6] Clarify new configuration options --- synapse/config/consent_config.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/synapse/config/consent_config.py b/synapse/config/consent_config.py index 6ec8e9b0c498..f193a090ae2e 100644 --- a/synapse/config/consent_config.py +++ b/synapse/config/consent_config.py @@ -46,9 +46,9 @@ # process, similar to how captcha works. Users will be required to accept the # policy before their account is created. # -# 'policy_name' is the name of the policy users will see when registering for -# an account. Defaults to "Privacy Policy" and requires require_at_registration -# to be enabled. +# 'policy_name' is the display name of the policy users will see when registering +# for an account. Has no effect unless `require_at_registration` is enabled. +# Defaults to "Privacy Policy". # # user_consent: # template_dir: res/templates/privacy