RubyGems - gdpr_rails - Versions diffs - 0.1.0 → 0.2.0 - Mend

gdpr_rails 0.1.0 → 0.2.0

Files changed (80) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7b508168e6f7964e7ed9455719b8828f42c3f4bc
-  data.tar.gz: 0fd77a485f155609c0e7a7b5fb6f7d92b24e8cf6
+  metadata.gz: 6e1522cfa4e643a2187c28f8dda396e10bff4df2
+  data.tar.gz: 2ba6c8e17738855fcd61e9d476a78412c678d77c
 SHA512:
-  metadata.gz: 97d1ae4542cf9462b2c5ea35771e7c9c6c5cfa558b6dcf729a3e0938668ee4615391af7e14794bbf0e1049646f034937c9dd7e1a70c4317ead000ab3a7399705
-  data.tar.gz: 5ebdb33e81e72cc8605dafef381ab14b20130d095f06f2d4b6842536a94d32e8444336d645f42cbac17c98b7af4caa830dc56590ee8894cb6cebe71a16369d26
+  metadata.gz: 45a4ef9b1af643d4730bade46b7c589aace9c9cec2d67518c38d9b56d7ab64ebb07e513ba87ab63f14cd407ba215f95c953ba830cd0b2228f928e3b2aff21912
+  data.tar.gz: 1a2974662d4eaa3e44c10a99e69f99d4dd633ff93a7a40932dea50878358f15b74e184f29d450915e3130e087e5c22d636f42458a5bbd4a190ecb05c59084b1d

data/README.md CHANGED Viewed

@@ -1,28 +1,285 @@
-# Terms
-Short description and motivation.
-## Usage
-How to use my plugin.
+# GDPR RAILS
+### Rails Engine for the GDPR compliance
+![RB](https://media.giphy.com/media/L74KIFFW4kUkE/giphy.gif)
+> The world needs some privacy, please
+[![Build Status](https://travis-ci.org/prey/gdpr_rails.svg?branch=master&aa=123)](https://travis-ci.org/prey/gdpr_rails)
+[![Maintainability](https://api.codeclimate.com/v1/badges/4908e74f90a34ba473df/maintainability)](https://codeclimate.com/github/prey/gdpr_rails/maintainability)
+[![Coverage Status](https://coveralls.io/repos/github/prey/gdpr_rails/badge.svg?branch=master)](https://coveralls.io/github/prey/gdpr_rails?branch=master)
+## About this project
+PolicyManager (Aka GDPR RAILS) was created with flexibility in mind to comply with the requirements of the GDPR ([General Data Protection Regulation](https://www.eugdpr.org/)). It's currently being developed at preyproject and will be battle-tested on [preyproject.com](https://preyproject.com) from May 25th.
+### Main Features:
+#### Policy Rules
++ Configurable policy rules, supports activerecord validations for new or existing users
++ Supports session-less consent policies which will become persistent once the user signs in or signs up
++ Versioning system for new policies
++ JSON endpoints to handle pending policies and portability logic in order to be implemented in *client only* interfaces, ie: frontend apps like React, Vue, Backbone, you name it.
+#### Portability
+Portability module lets you define export options, that will generate a navigable static site with all the data you've defined in the **portability rules**
++ Seamless data export with configurable templates
++ Configurable Mailer templates for progress & download completion
++ Downloads images to the local filesystem in order to comply with GDPR requirements on data accessibility.
++ Zips all the information and delivers it with a expirable download link
++ ActiveJob to handle the process
++ Behind the scenes uses the paperclip gem in which you can set up storages, like S3, Google
+#### Scripts & Cookies
+Configurable *scripts* which will bind cookie names in order to handle the script rendering and the cookie clean up.
+#### Forgotability
++ TBD, for now we simply delete all the data when a user closes the account.  This could be handled in the future with encryption like in emails or other kind of sensible fields on a database.
+### Admin Panel
+![admin panel](./panel.jpg)
 ## Installation
-Add this line to your application's Gemfile:
+Add this line to your application's Gemfile:
+as `gem 'gdpr_rails'`
+Then in your application.rb require the policy_manager lib with
+`require "policy_manager"`
+Install & run the migrations
+`rake policy_manager:install:migrations`
+## Usage examples
+### Basic config
+```ruby
+config = PolicyManager::Config.setup do |c|
+  c.logout_url = "logout"
+  c.from_email = "admin@acme.com"
+  # is_admin method in order for engine to know
+  # how to authorize admin only areas
+  c.is_admin_method = ->(o){
+    o.is_god? || o.is_admin? || o.is_me? || o.watheva
+  }
+```
+In order for this engine to work you must supply some rules according to your needs, in order to be in comply with the GDPR you will need 3 rules at least. A cookie consent, a Privacy& TOS and an Age  confirmation (+16).
+So, let's start by doing that:
+## Term rules
+In your app router add the following:
+```ruby
+  mount PolicyManager::Engine => "/policies"
+```
+Then add an initializer, `config/initializers/gdpr.rb` and inside it set your policy rules.
 ```ruby
-gem 'terms'
+PolicyManager::Config.setup do |c|
+  c.add_rule({name: "cookie", sessionless: true }  )
+  c.add_rule({name: "age", validates_on: [:create, :update], blocking: true })
+  c.add_rule({name: "privacy_terms", validates_on: [:create, :update], blocking: true })
+end
+# If you are using devise, you must extend engines's controller with devise helpers in order to get current_user
+PolicyManager::UserTermsController.send(:include, Devise::Controllers::Helpers)
 ```
-And then execute:
-```bash
-$ bundle
+> Note that you will need to go to the policy panel and add the policy
+> content for each term at `http://localhost:3000/policies/categories` otherwise you will see errors like `no term for #{rule} policy`
+### ActiveRecord Methods
+When the policies are configured will generate some helper methods on User model. For example, with the example above you will get the following methods for free:
++ `@user.has_consented_cookie?`
++ `@user.has_consented_age?`
++ `@user.has_consented_privacy_terms?`
+#### also you get:
++ `@user.pending_policies`
++ `@user.pending_blocking_policies`
++ `@user.confirm_all_policies!`
++ `@user.reject_all_policies!`
++ `@user.needs_policy_confirmation_for?(rule)`
++ `@user.policy_term_on(rule)`
++ `@user.policy_user_term_on(term)`
++ `@user.handle_policy_for(term)`
++ `@user.can_request_portability?`
+## Policy rules:
++ **sessionless:** will allow rules to be available for non logged users, if accepted a cookie `cookies["policy_rule_cookie"]` will be generated. If then the user sign in or signs up you could get this cookie it will persist in database.
+**Use this in your controller:**
+```ruby
+@user.store_policy_cookie if cookies["policy_rule_cookie"] == "accepted"
+```
++ **validates_on:** will require users validation, will automagically create virtual attributes for the policy you set, so, if you set `age` in your config you must supply in your forms a `policy_rule_age` checkbox in your form, if you don't supply those then the user validation will return errors on `policy_rule_age` . Don't forget to add the fields in your strong params in the controller which handles the request.
++ **if:** you can add conditions as a Proc in order skip validations:
+```ruby
+  c.add_rule({name: "age", validates_on: [:create, :update],
+              if: ->(o){ o.enabled_for_validation } })
 ```
++ **on_reject**: Proc which will be triggered when user rejects a policy (has an argument that contains the controller context)
++ **on_accept**: Proc which will be triggered when user accepts a policy (has an argument that contains the controller context)
-Or install it yourself as:
-```bash
-$ gem install terms
+#### Example
+> This is an example for a `cookie` rule. The expected behavior would be when the user rejects cookies iterate over our scripts and delete cookies:
+```ruby
+  c.add_rule({name: "cookie", sessionless: true, on_reject: ->(context){
+      PolicyManager::Script.cookies
+      .select{|o| !o.permanent }
+      .each{|o|
+        o.cookies.each{|c|
+          context.send(:cookies).delete(c, domain: o.domain)
+        }
+      }
+    }
+  })
 ```
+#### Policy handling:
+There are some endpoints that will handle json in order to interact with client applications, like react interfaces, $.ajax etc.
+you can also use the html web panel directly from the engine.
+So, if the Engine was mounted on `/policies` then your routes will be:
+    pending_user_terms          GET    /user_terms/pending(.:format)                     policy_manager/user_terms#pending
+    accept_multiples_user_terms PUT    /user_terms/accept_multiples(.:format)            policy_manager/user_terms#accept_multiples
+    blocking_terms_user_terms   GET    /user_terms/blocking_terms(.:format)              policy_manager/user_terms#blocking_terms
+    accept_user_term            PUT    /user_terms/:id/accept(.:format)                  policy_manager/user_terms#accept
+    reject_user_term            PUT    /user_terms/:id/reject(.:format)                  policy_manager/user_terms#reject
+    user_terms                  GET    /user_terms(.:format)                             policy_manager/user_terms#index
+    user_term                   GET    /user_terms/:id(.:format)                         policy_manager/user_terms#show
+## Scripts & Cookies
+This is supposed to in mix with your declared cookie term. So, this configuration let's you declare your external scripts that are related with tracking, ie: Google Analytics, Kissmetrics, Google Tag manager, etc... This configuration expects that you declare scripts that will be rendered over certain contexts (environments) and have the names (and domains) of the cookies that those scripts generates.
+#### example:
+```ruby
+  c.add_script(
+    name: "google analytics",
+    script: 'shared/analytics/universal',
+    environments: [:production],
+    description: ->{I18n.t("cookies.list.google_analytics")},
+    cookies: ["_ga", "_gid", "_gat_XXX-XXX"],
+    domain: ".panel.preyproject.com"
+  )
+```
+> **Importance of declaring the cookie domain**: When you clean up the cookies (like in the example above for `on_reject`) is important to set the domain that this cookies belongs. In some cases this external scripts could add the cookie on your subdomain or your base domain. In out case we found that some cookies are generated on panel.preyproject.com or .panel.preyproject or just preyproject.com. Try to get that information on chrome console -> application -> cookies.
+### Example in your layout:
+This is an example on how you would render your scripts only if the user has accepted the cookie
+```ruby
+    <% if current_user.has_consented_cookie? %>
+     <!--  # this cames from portability/helpers/scripts_helpers -->
+      <%= render_scripts %>
+    <% end %>
+```
+`render_scripts` will iterate over your configured scripts and render the templates defined on `PolicyManager::Script`
+## Portability Rules
+Export option & Portability rules will allow you to set up how and which data you will give to a requester user.
+#### Exporter:
++ **path**: where the folder will be generated, usually can be set on /tmp, this will need a pathname, like `Rails.root.join("tmp/export")`
++ **resource**: which model , ie: `User`
++ **index_template**: The first page. defaults to a simple ul li list of links tied to your rules, this expects a Pathname or a String with yout template
++ **layout**: A layout template to wrap the static site,  this expects a Pathname or a String with your template
++ **after_zip**: a callback to handle the zip file on the resource, something like:
+```ruby
+after_zip: ->(zip_path, resource){
+  puts "THIS IS GREAT #{zip_path} was zipped, now what ??"
+}
+```
++ **mail_helpers**:  If you have some helpers you want to add to the mailers, then you can pass an Array of helpers, `[MailHelper, OtherMailHelper]`,
++ **attachment_path**: Paperclip upload path , defaults to "portability/:id/build.zip",
++ **attachment_storage**: Paperclip storage, defaults to filesystem , you can set `s3` or `google` or whatever paperclip supports
++ **expiration_link**: integer, defaults to 60 (1 minute),
+#### Portability Rules:
+Portability rules collection render. This will call a @user.articles
+and will auto paginate records
+```ruby
+PolicyManager::Config.setup do |c|
+  # minimal exporter setup
+  c.exporter = {
+    path: Rails.root + "tmp/export",
+    resource: User
+  }
+  # portability rules, collection render. This will call a @user.articles
+  # and will auto paginate records
+  # template expects a string or path
+  c.add_portability_rule({
+    name: "exportable_data",
+    collection: :articles,
+    template: "hello, a collection will be rendered here use @collection.to_json",
+    per: 10
+  })
+  # portability rules, member render. This will call a @user.account_data
+  # template expects a string or path
+  c.add_portability_rule({
+    name: "my_account",
+    member: :account_data,
+    template: "hellow , here a resource will be rendered <%= @member.to_json %> "
+  })
+end
+```
+**Important:**
+> If the content that will be delivered has images use the `image_tag`
+> in your template.  This helper was reimplemented in order for the remote image to be downloaded automatically.
+> And will be served locally in order to comply with the
+> Portability data requirements.
+### Web Endpoints and methods for user:
+```
+user_portability_requests   GET    /user_portability_requests(.:format)              policy_manager/user_portability_requests#index
+                            POST   /user_portability_requests(.:format)              policy_manager/user_portability_requests#create
+user_portability_request    DELETE /user_portability_requests/:id(.:format)          policy_manager/user_portability_requests#destroy
+```
+### Web Endpoints and methods for admin :
+this routes are accessible from engine's admin panel
+```
+confirm_portability_request GET    /portability_requests/:id/confirm(.:format)       policy_manager/portability_requests#confirm
+portability_requests        GET    /portability_requests(.:format)                   policy_manager/portability_requests#index
+portability_request         DELETE /portability_requests/:id(.:format)               policy_manager/portability_requests#destroy
+```
+# TO DO
++   anonimyzer
+#### Acknowledgments
++ [Prey Team](https://github.com/orgs/prey/people)
++ Special thanks to our legal GDPR advisor: Paul Lagniel <paul@preyhq.com>
+#### Main maintainers
++ Miguel Michelson - miguel@preyhq.com
++ Patricio Jofré - pato@preyhq.com
 ## Contributing
-Contribution directions go here.
+just fork the repo and send us a Pull Request, with some tests please :)
 ## License
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/app/assets/javascripts/policy_manager/application.js CHANGED Viewed

@@ -11,3 +11,7 @@
 // about supported directives.
 //
 //= require_tree .
+//= require rails-ujs
+//= require chartkick

data/app/assets/javascripts/policy_manager/portability_requests.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ // Place all the behaviors and hooks related to the matching controller here.
2	+ // All this logic will automatically be available in application.js.

data/app/assets/javascripts/policy_manager/user_portability_requests.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ // Place all the behaviors and hooks related to the matching controller here.
2	+ // All this logic will automatically be available in application.js.

data/app/assets/stylesheets/policy_manager/portability_requests.css ADDED Viewed

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/assets/stylesheets/policy_manager/user_portability_requests.css ADDED Viewed

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/controllers/policy_manager/application_controller.rb CHANGED Viewed

@@ -1,5 +1,27 @@
 module PolicyManager
   class ApplicationController < ActionController::Base
+    if defined? Doorman
+      include Doorman::Controller
+    end
+    before_action :user_authenticated?
+    before_action :set_language
+    def allow_admins
+      return redirect_to root_path unless Config.is_admin?(current_user)
+    end
+    def user_authenticated?
+      if current_user.blank?
+        render :file => "public/401.html", :layout => false, :status => :unauthorized
+      end
+    end
+    def set_language
+      I18n.locale = Config.user_language(current_user)
+    end
     protect_from_forgery with: :exception
   end
 end

data/app/controllers/policy_manager/categories_controller.rb CHANGED Viewed

@@ -1,62 +1,20 @@
-require_dependency "terms/application_controller"
+require_dependency "policy_manager/application_controller"
 module PolicyManager
   class CategoriesController < ApplicationController
-    before_action :set_category, only: [:show, :edit, :update, :destroy]
+    before_action :allow_admins
     # GET /categories
     def index
-      @categories = Category.all
+      @categories = PolicyManager::Config.rules
     end
     # GET /categories/1
     def show
-    end
-    # GET /categories/new
-    def new
-      @category = Category.new
-    end
-    # GET /categories/1/edit
-    def edit
-    end
-    # POST /categories
-    def create
-      @category = Category.new(category_params)
-      if @category.save
-        redirect_to @category, notice: 'Category was successfully created.'
-      else
-        render :new
-      end
-    end
-    # PATCH/PUT /categories/1
-    def update
-      if @category.update(category_params)
-        redirect_to @category, notice: 'Category was successfully updated.'
-      else
-        render :edit
-      end
-    end
-    # DELETE /categories/1
-    def destroy
-      @category.destroy
-      redirect_to categories_url, notice: 'Category was successfully destroyed.'
+      @category = PolicyManager::Config.rules.find{|o| o.name == params[:id]}
     end
     private
-      # Use callbacks to share common setup or constraints between actions.
-      def set_category
-        @category = Category.find(params[:id])
-      end
-      # Only allow a trusted parameter "white list" through.
-      def category_params
-        params.require(:category).permit(:name)
-      end
   end
 end

data/app/controllers/policy_manager/portability_requests_controller.rb ADDED Viewed

@@ -0,0 +1,34 @@
+require_dependency "policy_manager/application_controller"
+module PolicyManager
+  class PortabilityRequestsController < ApplicationController
+    before_action :set_portability_request, only: :destroy
+    before_action :allow_admins
+    # GET /portability_requests
+    def index
+      @portability_requests = PortabilityRequest.order(created_at: :desc).paginate(:page => params[:page], :per_page => 10)
+    end
+    def confirm
+      @portability_request = PortabilityRequest.find(params[:id])
+      if @portability_request.confirm!
+        redirect_to portability_requests_path
+      end
+    end
+    # DELETE /portability_requests/1
+    def destroy
+      @portability_request.destroy
+      redirect_to portability_requests_url, notice: I18n.t("terms_app.portability_requests.index.destroyed")
+    end
+    private
+    # Use callbacks to share common setup or constraints between actions.
+    def set_portability_request
+      @portability_request = PortabilityRequest.find(params[:id])
+    end
+  end
+end

data/app/controllers/policy_manager/terms_controller.rb CHANGED Viewed

@@ -1,9 +1,10 @@
-require_dependency "terms/application_controller"
+require_dependency "policy_manager/application_controller"
 module PolicyManager
   class TermsController < ApplicationController
     before_action :set_term, only: [:show, :edit, :update, :destroy]
+    before_action :allow_admins
     # GET /terms
     def index
       @terms = Term.all
@@ -27,7 +28,7 @@ module PolicyManager
       @term = Term.new(term_params)
       if @term.save
-        redirect_to category_term_path(@term.category, @term), notice: 'Term was successfully created.'
+        redirect_to category_term_path(@term.rule.name, @term), notice: I18n.t("terms_app.terms.new.created")
       else
         render :new
       end
@@ -36,7 +37,7 @@ module PolicyManager
     # PATCH/PUT /terms/1
     def update
       if @term.update(term_params)
-        redirect_to category_term_path(@term.category, @term), notice: 'Term was successfully updated.'
+        redirect_to category_term_path(@term.rule.name, @term), notice: I18n.t("terms_app.terms.new.updated")
       else
         render :edit
       end
@@ -45,18 +46,20 @@ module PolicyManager
     # DELETE /terms/1
     def destroy
       @term.destroy
-      redirect_to category_terms_path(@term.category), notice: 'Term was successfully destroyed.'
+      redirect_to category_terms_path(@term.rule.name), notice: I18n.t("terms_app.terms.new.destroyed")
     end
     private
-      # Use callbacks to share common setup or constraints between actions.
-      def set_term
-        @term = Term.find(params[:id])
-      end
-      # Only allow a trusted parameter "white list" through.
-      def term_params
-        params.require(:term).permit(:description, :category_id)
-      end
+    # Use callbacks to share common setup or constraints between actions.
+    def set_term
+      @term = Term.find(params[:id])
+    end
+    # Only allow a trusted parameter "white list" through.
+    def term_params
+      params.require(:term).permit(:description, :rule, :state)
+    end
   end
 end

data/app/controllers/policy_manager/user_portability_requests_controller.rb ADDED Viewed

@@ -0,0 +1,41 @@
+require_dependency "policy_manager/application_controller"
+module PolicyManager
+  class UserPortabilityRequestsController < ApplicationController
+    def index
+      @user_portability_requests = current_user.portability_requests.order(created_at: :desc).paginate(:page => params[:page], :per_page => 10)
+    end
+    def create
+      respond_to do |format|
+        format.html{
+          if current_user.can_request_portability?
+            if current_user.portability_requests.create
+              redirect_to user_portability_requests_path, notice: I18n.t("terms_app.user_portability_requests.index.created")
+            end
+          else
+            redirect_to user_portability_requests_path, notice: I18n.t("terms_app.user_portability_requests.index.has_pending")
+          end
+        }
+        format.json{
+          if current_user.can_request_portability?
+            if current_user.portability_requests.create
+              render json: {notice: I18n.t("terms_app.user_portability_requests.index.created")}
+            end
+          else
+            render json: {notice: I18n.t("terms_app.user_portability_requests.index.has_pending")}, status: 422
+          end
+        }
+      end
+    end
+    def destroy
+      PortabilityRequest.find(params[:id]).destroy
+      redirect_to user_portability_requests_url, notice: I18n.t("terms_app.portability_requests.index.destroyed")
+    end
+    private
+  end
+end