From f7ad7efe860f050dde933050b1a8555939fd8e89 Mon Sep 17 00:00:00 2001
From: Demetrio Girardi <dgirardi@prebid.org>
Date: Tue, 25 Oct 2022 09:14:39 -0700
Subject: [PATCH] Gdpr enforcement softVendorExceptions

---
 modules/gdprEnforcement.js                |  5 +++--
 test/spec/modules/gdprEnforcement_spec.js | 22 ++++++++++++++++++----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/modules/gdprEnforcement.js b/modules/gdprEnforcement.js
index 15d4591bf993..9553ad0586aa 100644
--- a/modules/gdprEnforcement.js
+++ b/modules/gdprEnforcement.js
@@ -154,13 +154,14 @@ export function validateRules(rule, consentData, currentModule, gvlId) {
   const purposeId = TCF2[Object.keys(TCF2).filter(purposeName => TCF2[purposeName].name === rule.purpose)[0]].id;
 
   // return 'true' if vendor present in 'vendorExceptions'
-  if (includes(rule.vendorExceptions || [], currentModule)) {
+  if ((rule.vendorExceptions || []).includes(currentModule)) {
     return true;
   }
+  const vendorConsentRequred = !((gvlId === VENDORLESS_GVLID || (rule.softVendorExceptions || []).includes(currentModule)))
 
   // get data from the consent string
   const purposeConsent = deepAccess(consentData, `vendorData.purpose.consents.${purposeId}`);
-  const vendorConsent = gvlId === VENDORLESS_GVLID ? true : deepAccess(consentData, `vendorData.vendor.consents.${gvlId}`);
+  const vendorConsent = vendorConsentRequred ? deepAccess(consentData, `vendorData.vendor.consents.${gvlId}`) : true;
   const liTransparency = deepAccess(consentData, `vendorData.purpose.legitimateInterests.${purposeId}`);
 
   /*
diff --git a/test/spec/modules/gdprEnforcement_spec.js b/test/spec/modules/gdprEnforcement_spec.js
index 564a9b356f4f..81d5c470c6aa 100644
--- a/test/spec/modules/gdprEnforcement_spec.js
+++ b/test/spec/modules/gdprEnforcement_spec.js
@@ -791,11 +791,12 @@ describe('gdpr enforcement', function () {
   });
 
   describe('validateRules', function () {
-    const createGdprRule = (purposeName = 'storage', enforcePurpose = true, enforceVendor = true, vendorExceptions = []) => ({
+    const createGdprRule = (purposeName = 'storage', enforcePurpose = true, enforceVendor = true, vendorExceptions = [], softVendorExceptions = []) => ({
       purpose: purposeName,
-      enforcePurpose: enforcePurpose,
-      enforceVendor: enforceVendor,
-      vendorExceptions: vendorExceptions
+      enforcePurpose,
+      enforceVendor,
+      vendorExceptions,
+      softVendorExceptions,
     });
 
     const consentData = {
@@ -909,6 +910,19 @@ describe('gdpr enforcement', function () {
       expect(isAllowed).to.equal(true);
     });
 
+    describe('when the vendor has a softVendorException', () => {
+      const gdprRule = createGdprRule('storage', true, true, [], [vendorBlockedModule]);
+
+      it('should return false if general consent was not given', () => {
+        const isAllowed = validateRules(gdprRule, consentDataWithPurposeConsentFalse, vendorBlockedModule, vendorBlockedGvlId);
+        expect(isAllowed).to.be.false;
+      })
+      it('should return true if general consent was given', () => {
+        const isAllowed = validateRules(gdprRule, consentData, vendorBlockedModule, vendorBlockedGvlId);
+        expect(isAllowed).to.be.true;
+      })
+    })
+
     describe('when module does not need vendor consent', () => {
       Object.entries({
         'storage': 1,