Merged
Conversation
In order not to confuse implementors that the data consent is not only about cookies.
Member
Mea culpa 😅 Seems like there's a merge conflict, can you resolve it? Also, we should review and update the docs to reflect the "data consent" nomenclature, and at least mention LocalStorage. Something along the lines of what we've talked about these last couple of weeks would be nice (Like "Even though the user interface talks only about Cookie consent, this actually handles any kind of browser API that could potentially be used for tracking users, like Cookies and LocalStorage").
Can you handle that? |
Member
|
Also, I've just remembered about this doc page about "Testing SSL in localhost". Can you change it with the new instructions please? |
Add a note that the data consent is not only about cookies.
decidim-core/app/packs/src/decidim/data_consent/consent_manager.test.js
Outdated
Show resolved
Hide resolved
Member
|
I tried it locally and it works as expected:
The new SSL cert in development I tried it the other day and worked as expected (with the Secure cookie too) I've tried it out with the configuration that I've made for Metadecidim and it work well too:
Just found a couple of things to mention, but I can live with those, just want to hear your feedback @ahukkanen before merging |
Contributor
Author
|
@andreslucena The changes related to the class names and IDs are done. I guess if the build shows green, it's ready to go. It should pass unless I messed up something (tested it in the browser myself and it worked fine). |
verarojman
previously approved these changes
Aug 4, 2022
Contributor
verarojman
left a comment
There was a problem hiding this comment.
Eveything works great! I just have some suggestions regarding some of the locales introduced by #9271 . I imagine this is out of scope, but I wanted to comment on it nevertheless.
My suggestions are the following (the file is decidim-core/config/locales/en.yml lines 1766-1770)
en.layouts.decidim.data_consent.modal.description: We use cookies to ensure the basic functionalities of the website and to enhance your online experience. You can configure and accept the use of the cookies, and modify your consent options, at any time.
en.layouts.decidim.data_consent.modal.analytics.description: These cookies are used to measure and analyse the website audience (visitor volume, pages viewed, average browsing time, etc.) to help improve its performance.
en.layouts.decidim.data_consent.modal.essential.description: These cookies are necessary for the functionality of the website, they are automatically saved in the browser and cannot be configured. They enable key functions of the website (language used, account access, etc.), and secure our website against any attempted fraud.Also, I think the marketing and preferences cookies description need to be improved as well, but I'm not sure what kind of data they are storing so I cannot provide a specific suggestion.
Marketing: "These cookies collect information about how you use the website, which pages you visited and which links you clicked on."
Preferences: "These cookies allow the website to remember the choices you have made in the past"
Contributor
Author
This is great feedback and I have applied changes to these terms based on your comments but I also made slight modifications. My main point is that these generic descriptions should not include any examples that you wrote in your suggestions because different services can do different stuff. These specific details should be explained in the cookie descriptions added for the particular services, which is the implementor's responsibility. Also some of those examples in your suggestion e.g. regarding the "essential" category was not exact, so I just decided to drop those examples altogether. Here's how the terms look after my modifications:
I have also applied small modifications to these terms that you can see from above, but here's some examples:
The "preference" category is a bit problematic right now because there are actually some places in Decidim which use this type of "cookies" (or local storage), such as storing which "floating help" banners the user has previously dismissed (these are the banners that explain e.g. what is a participatory process). But putting them under the "preference" cookies would also require that when the preference cookies are disabled, we would disallow hiding these banners for the user, so it is not definitely in the scope of this PR. |
verarojman
approved these changes
Aug 4, 2022
Contributor
There was a problem hiding this comment.
😍 Whoa @ahukkanen, thank you so much for integrating this feedback so quickly and so sensibly!
I have no further objections to the text in this data consent modal, and I understand that it's up to each Decidim application to explain users what each cookie does, and do it in a clear way.
The Codecov check is failing now, should I merge anyway? I see some other PRs are also missing this check.
Thanks again!
Contributor
Author
@verarojman It has been failing consistently as long as I can remember after the tests were split which I think happened years ago. It's an issue at Codecov that requires some further investigation. We cannot currently trust the results it reports. So yes, please merge and don't worry about the Codecov check. |
Crashillo
pushed a commit
that referenced
this pull request
Aug 10, 2022
* Rename cookie_consent to data_consent * Rename the data consent entry point to index.js * Fix the data consent entry point definition (wrong naming) * Fix the reference to the consent manager * Set the expiry period for the data consent cookie to 365 days * Add the secure flag to the cookie when under https * Add the domain and SameSite to the consent cookie * Add possibility to use HTTPS in development and tests * Add jest tests to test the cookie flags for the consent manager * Add system spec for the data consent * Add CI action for testing some of the system specs under HTTPS * Rename cookie_consent to data_consent and cookie_details to details In order not to confuse implementors that the data consent is not only about cookies. * Remove further references to cookies from the translations and code * Update docs with the latest code changes and remove references to cookies * Rename "cookies" doc page to "data_consent" and add relevant changes Add a note that the data consent is not only about cookies. * Add the review suggestions to the data consent docs * Update the documentation regarding testing under SSL * ESLint * Rename cookie_consent_warning partial to data_consent_warning * Fix the translation key for data_consent_settings * Fix the translation keys for data consent warning * Refine the JS code comments not to refer particularly to cookie consent * Rename the "cookies" system specs to "data_consent" * Move the data consent cookie flags test to the "data_consent" folder * Update the reference to the correct test in the core system SSL action * Update the action name for better ordering in the list * Change the cookie-consent SCSS file name to data-consent * Update the reference to data-consent SCSS in the docs * Update the capybara helper to data_consent and the related module name * Fix partial name in meetings * Fix the comments in the initializer template * Fix the domain and flags in the default consent cookie After introducing the new flags and setting the domain for the cookie, the Capybara cookie was overriding the cookie set by JS because it had incorrect domain (JS allows also subdomains). Also add the extra flags to the default cookie that were added to the JS for consistency and to avoid potential side effects. * Fix the organization data consent spec after the default cookie changes * Fix the default cookie if the domain is localhost * Improve the expectation for the cookie expiry * Change `cookie` to `dataconsent` in the CSS class names * Rename `cc-` prefix to `dc-` in the data consent HTML IDs and classes * Update the development app notes * Update ruby version for the SSL tests * Apply modifications to the cookie consent description based on review
This was referenced Sep 19, 2022
eliegaboriau
pushed a commit
to eliegaboriau/decidim
that referenced
this pull request
Oct 25, 2022
* Rename cookie_consent to data_consent * Rename the data consent entry point to index.js * Fix the data consent entry point definition (wrong naming) * Fix the reference to the consent manager * Set the expiry period for the data consent cookie to 365 days * Add the secure flag to the cookie when under https * Add the domain and SameSite to the consent cookie * Add possibility to use HTTPS in development and tests * Add jest tests to test the cookie flags for the consent manager * Add system spec for the data consent * Add CI action for testing some of the system specs under HTTPS * Rename cookie_consent to data_consent and cookie_details to details In order not to confuse implementors that the data consent is not only about cookies. * Remove further references to cookies from the translations and code * Update docs with the latest code changes and remove references to cookies * Rename "cookies" doc page to "data_consent" and add relevant changes Add a note that the data consent is not only about cookies. * Add the review suggestions to the data consent docs * Update the documentation regarding testing under SSL * ESLint * Rename cookie_consent_warning partial to data_consent_warning * Fix the translation key for data_consent_settings * Fix the translation keys for data consent warning * Refine the JS code comments not to refer particularly to cookie consent * Rename the "cookies" system specs to "data_consent" * Move the data consent cookie flags test to the "data_consent" folder * Update the reference to the correct test in the core system SSL action * Update the action name for better ordering in the list * Change the cookie-consent SCSS file name to data-consent * Update the reference to data-consent SCSS in the docs * Update the capybara helper to data_consent and the related module name * Fix partial name in meetings * Fix the comments in the initializer template * Fix the domain and flags in the default consent cookie After introducing the new flags and setting the domain for the cookie, the Capybara cookie was overriding the cookie set by JS because it had incorrect domain (JS allows also subdomains). Also add the extra flags to the default cookie that were added to the JS for consistency and to avoid potential side effects. * Fix the organization data consent spec after the default cookie changes * Fix the default cookie if the domain is localhost * Improve the expectation for the cookie expiry * Change `cookie` to `dataconsent` in the CSS class names * Rename `cc-` prefix to `dc-` in the data consent HTML IDs and classes * Update the development app notes * Update ruby version for the SSL tests * Apply modifications to the cookie consent description based on review
ahukkanen
added a commit
that referenced
this pull request
Dec 22, 2022
* preparation conference assets * highlight conferences block * card grid * differenciate between index & show * fix ruby lint * create reverse layout * conferences show and partners * refactor address cells repeated, extracted to component * reformat map section * conferences hero block * conferences navigation * add no-external-link, simplify partial * fix erb lint * create layout 2col * add future boxes when they're ready * conference speakers dekstop * mobile tuning * Fix account update without password change (#9582) * Handle password change properly at the account form When the user tried to update their account without changing their password, they could not submit the form due to the front-end validations. Fix this issue by marking those fields required only when they are visible on the form. * Make sure the spec checks the encrypted password is not changed When account is updated without providing a password, the encrypted password shouldn't change. * Do not autofill the password on the account form In tests, the user record responds to `.password` which causes the account form updates to work differently in tests than they do for actual users. * Apply feedback from the code review * Add also password and password confirmation errors on the form In case the password update failed, the user doesn't get any feedback. This fixes that issue. * Fix order when filtering Meetings (#9505) * Change date meetings filters checkboxes to radio buttons * Fix default upcoming filter on meetings' controller * Order filtered meetings by start_time * Use Faker::Date in meetings' seeds * Convert let definitions to one line blocks * Fix typo * Add default filter specs for Upcoming meetings * Add specs for 'date filters' on meetings * Reintroduces the 'All' filter for meetings dates * Remove uneceessary instance variable Co-authored-by: Antti Hukkanen <antti.hukkanen@mainiotech.fi> * Fix for 500 errors on static maps * Preserve the currently selected per_page value with filter forms * Fix the broken specs due to changes in the per_page configuration * Do not use concat in helpers that are used in cells * Rubocop Co-authored-by: Antti Hukkanen <antti.hukkanen@mainiotech.fi> * Fix admin autocomplete with extra URL parameters (e.g. locale) (#9650) * Fix issues with daily and weekly notifications (#9599) * Fix notification daily and weekly status * Fix notification digest sending decider to check from the end of the day * Rubocop * Fix blocked user nickname and avatar in user presenter (#9659) * modify nickname and avatar in user presenter * add spec * modify nickname * Fix data consent expiry (#9570) * Rename cookie_consent to data_consent * Rename the data consent entry point to index.js * Fix the data consent entry point definition (wrong naming) * Fix the reference to the consent manager * Set the expiry period for the data consent cookie to 365 days * Add the secure flag to the cookie when under https * Add the domain and SameSite to the consent cookie * Add possibility to use HTTPS in development and tests * Add jest tests to test the cookie flags for the consent manager * Add system spec for the data consent * Add CI action for testing some of the system specs under HTTPS * Rename cookie_consent to data_consent and cookie_details to details In order not to confuse implementors that the data consent is not only about cookies. * Remove further references to cookies from the translations and code * Update docs with the latest code changes and remove references to cookies * Rename "cookies" doc page to "data_consent" and add relevant changes Add a note that the data consent is not only about cookies. * Add the review suggestions to the data consent docs * Update the documentation regarding testing under SSL * ESLint * Rename cookie_consent_warning partial to data_consent_warning * Fix the translation key for data_consent_settings * Fix the translation keys for data consent warning * Refine the JS code comments not to refer particularly to cookie consent * Rename the "cookies" system specs to "data_consent" * Move the data consent cookie flags test to the "data_consent" folder * Update the reference to the correct test in the core system SSL action * Update the action name for better ordering in the list * Change the cookie-consent SCSS file name to data-consent * Update the reference to data-consent SCSS in the docs * Update the capybara helper to data_consent and the related module name * Fix partial name in meetings * Fix the comments in the initializer template * Fix the domain and flags in the default consent cookie After introducing the new flags and setting the domain for the cookie, the Capybara cookie was overriding the cookie set by JS because it had incorrect domain (JS allows also subdomains). Also add the extra flags to the default cookie that were added to the JS for consistency and to avoid potential side effects. * Fix the organization data consent spec after the default cookie changes * Fix the default cookie if the domain is localhost * Improve the expectation for the cookie expiry * Change `cookie` to `dataconsent` in the CSS class names * Rename `cc-` prefix to `dc-` in the data consent HTML IDs and classes * Update the development app notes * Update ruby version for the SSL tests * Apply modifications to the cookie consent description based on review * Add Markdown linter CI workflow (#9446) * Add Markdown linter rake task * Add 'Lint Markdown files' step in CI * Add excluded files on markdown linter task * Fix heading levels * Specify language in fenced code block * Fix unordered list styles * Fix ordered list prefixes * Escape HTML tag * Simplify system admin creation documentation on generated README * Ignore the 'Multiple top level headers' rule in Participatory Texts example doc * Add ignore_rules_for_file logic in markdown linter * Ignore the 'Multiple top level headers' rule in Participatory Texts seed example * Ignore the 'First header should be a top level header' rule in GraphQL API doc * Remove mdl gem and configuration * Add markdownlint-cli NPM package and configuration * Change mdl references to markdownlint-cli * Fix linter offenses * Remove codeclimate markdownlint plugin * Add inline ignore rules in Participatory Texts examples * Ignore HTML comments when importing Markdown files * Fix HTML tags on spec * Reintroduce wrongly deleted stylelint script * Explicitly add fileutils as requirement If not, I have this exception when calling it directly: $ bin/rspec spec/webpacker_spec.rb (...) NameError: uninitialized constant FileUtils Did you mean? FileTest (...) * Sync npm packages files * Update spec to remove HTML comments * Fix the decidim-packs ignore from markdownlint * Change the markdownlint script name and the glob match pattern * Fix the disable file inline comment * Move the strong style and emphasis style excludes to correct file * Move the markdownlint-cli package to the distributed dev package * Fix the markdownlint script name in the github action * Remove unnecessary added linebreak from the Rakefile * Rename the markdownlint.yml config file extension for consistency * Fix missing markdownlint * Exclude link-fragments rule for the API usage.md * Add examples how to lint and fix markdownlint issues * Rake bundle Co-authored-by: Antti Hukkanen <antti.hukkanen@mainiotech.fi> * Fix broken link in the data consent documentation (#9665) * Fix uninitialized constant errors with custom set of modules (#9577) * Fix uninitialized constant errors for unexisting modules * Add specs for the dependency resolver * Document the method without documentation * Remove unnecessary commented code * DRY comments * Reset the resolver cache during the tests * Add debug messages for CI * More debug * Try relative paths to the git gems in the custom Gemfile * Print out the generated Gemfile.lock * Revert "Try relative paths to the git gems in the custom Gemfile" This reverts commit bb2f675. * Print out the root dirs in the test debug * Revert "Print out the root dirs in the test debug" This reverts commit 06983f1. * Move debug to its own spec * Print out bundle(r) and gem related ENV vars * More debug logging * Remove the unnecessary yield argument * Fix syntax error * Add debug for the dummy lockfile generation * Report bundle not frozen during the custom Gemfile specs * Remove the debug output from the custom Gemfile specs * Add specs for `Decidim.module_installed?` * Add missing return value YARD docs * Rubocop auto-correct * Fix PWA install prompt keeps appearing more than once (#9603) * Prevent the PWA install notification after user has seen it * Add the new local storage item to the essential local data * Refactor the install prompt prevention to a2hs.js at the sw folder * Redesign: blogs (#9436) * two-columns layout * card blog * layout index blog * one column layout + decorator * blog post show prose * Enable explicitly redesign on posts controller * replace locals by content_for block * single post botton bar * fix bg-color new tailwind setup * remove unnecessary css class * restore post description * add filter component (non-functional) * fix blog glitches * adapt blogs show to new layout * Fix presenter detection of author on blogs * Refactor actions on author cell * Remove unused partial * Recover id in follow_button to allow ajax refresh * Remove unused translations * Update selector in posts tests * Use paginable concern in posts controller * Fix pagination test in posts * Remove deprecated test The back button dissapear in the redesign * Remove deprecated test The most commented section is removed in the redesign * Replace TODOs with REDESIGN PENDING * Revert comment * Integrate endorsers list * Allow to define which context actions may appear in author cell * Split endorsements_button in redesigned and legacy design versions * Fix js endorsements template to take into account redesign * Define profile from cell in redesigned author cell * Update test to take into account redesign in endorsements feature * Sanitize title in debates card * Split follow button in redesigned and legacy versions * Remove read more link from blog descriptions in index * export layout 2 columns * fixes on blog lists * fix glitches blog show * fix lint * Allow definition of a layout in redesigned author cell * Include layouct and context actions in cache key of redesigned author cell * alternative design blog author * set generic layouts * Refactor author compact display * endorsers list toggler * update buttons classes * blog buttons * apply button updates * avoid tailwind compilation * Allow to provide options to redesigned_follow_button from helper using it * Allow redesigned author to display only avatar image * Define full list view in endorsers_list cell and use avatar version of redesigned author cell * set fixed bottom space * Allow to provide options to redesigned_follow_button from helper using it * Fix translation * restore script * set gradient stops * fix lint * Fix linter offense * responsive 2col layout * icon to endorsements * restore h4 * replace button and hide links * fix actions menu mobile * Update default tail for html truncation * Use default tail chars * Fix specs * close endorsements as button * skip links * remove unnecessary role Co-authored-by: Eduardo Martinez Echevarria <eduardomech@gmail.com> Co-authored-by: Fernando Blat <fernando@blat.es> * fixes conferences mobile * conference registration desktop * hide temporary banner * resposive registration * desktop conference program w/ interaction * fix tailwind compilation * split large file into minor ones * duplicate time events * fix style issues * Update test selectors and expected texts * Update selector in test * Remove conferences from entrypoints test The conferences.scss file is no longer loaded through Decidim::Webpacker.register_stylesheet_import mechanism and is imported directly from decidim_conferences javascript file * Fix linter offenses * Remove unused translations * Update test selectors and expected texts * Fix linter offense * Wrap conference data in show view in a div for tests * Fix some tests selectors and expected texts * Update test * Restrict redesign_participatory_space_layout to show action and include contextual help in index view * rename partials * fix tests * Update tests * Fix text * Fix expected texts * Add redesigned conference participatory space layout * Define redesigned participatory_space context layout correctly * Fix test and avoid ambiguities * Update conferences cells tests * move resources to the layout * Allow setting fallback layout when there are participatory_space_layout definitions * Set layout for controllers not using participatory_space_layout in conferences * general fixes in conference module * implement speakers modal 🎉 * implement modal for registration * implement modal for registration * program mobile version * Test helper to generate modals * modal helper generalization * use item_list component styles for listing * Extract items of navigation menu of a conference to a helper * Revert "use item_list component styles for listing" The reverted commit produced compilation errors This reverts commit 780815a. * Fix linter offense * Fix test * Recover text argument in link_to call * Remove unused translation * allow modal to have id * style login modal form * fix common classes * missing dialog-title (a11y) * Disable default class on login modal form * Remove unused translation * Hide attributes which can generate accesibility issues REDESIGN_PENDING See the comment * Avoid accessibility errors with old layout * conditionally append the aria tagging for optional attributes * Split login modal in legacy and redesigned versions * Prepare button to open login modal to work with redesigned and legacy layouts * Change selectors in tests * Recover authorize before action in redesgin_participatory_space_layout * Fix selector in text * Update expected text in test * Allow skipping before_action on redesign_participatory_space_layout in favor of other filters * Fix selector in tests * add new font size for heros * apply the font-size hero to conferences * simplify flash position: always on top * simplify test markup * add generic button css classes * update cell buttons with the new defaults classes * fix registration button style * responsive margins on register * replace lateral menu with dropdown on mobile * fix modal * underline links & test button truncate * Don't pass options to layout in redesign_participatory_space_layout * extract dropdown common css to file * enable login boxes * linked resources block * fix bad assignment * hide the dropdown mobile by default (no jumping effect) * remove floating help * hide temporary the spaces help * show the floating help to avoid tests fails * fix external_icon to use redesidnged icon lib * conferences media view: links & photos * conferences media view: documents (separated component) * conferences media view: responsive * remove unused locales * fix onmiauth buttons * fix design glitches program view * fix media design glitches * Fix selectors in tests * unbind tests from css classes * extract card grid/highlight from conferences to core * Fix selectors in tests * add id to resources in order to specify capybara tests * fix selectors in tests * Skip test * add metadata styles to the cards * adjustments responsive cards * add min width to buttons, in order to apply truncate props * Edit text * handle conference map (if enable or not) * force scroll in modal contents if so large * the modal cannot be inside the modal trigger * distinguish conference programs * place floating_help * fix a11y * rescue original participatory_space_floating_help methods * restore link text to component_name instead of program * set gap in content blocks * fix glitches in mobile & code reviews * small css glitch * add changes from #10007 * move CSS specification to its own file * fixes a11y * avoid foundation [data-open] throws error * merge item-list into card css component * update item-list* classes with card__list* * adapt login modal to follow a regular markup * don't allow custom htl text on descriptions * remove cursor pointer on hover * add title to content-block component * tune documents partial * add note * don't hover if not clickable * limit size conference media sections * add border when sibling * simplify card grid text container * remove literal * remove price if it's empty or zero * disable also in registration (specifity) * extract photos cell from conferences to core * remove the title from the partials (it should be added by the container) * remove the margin-top for components since its their container who sets that up * align left if only child * update i18n key * update tests for attachments * more specific css component rule * make link specific css * add span style as component part * wrap button text contents Co-authored-by: Antti Hukkanen <antti.hukkanen@mainiotech.fi> Co-authored-by: Andrés Pereira de Lucena <andreslucena@users.noreply.github.com> Co-authored-by: eliegaboriau <93646702+eliegaboriau@users.noreply.github.com> Co-authored-by: Eduardo Martinez Echevarria <eduardomech@gmail.com> Co-authored-by: Fernando Blat <fernando@blat.es>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎩 What? Why?
This fixes the issue described at #9569 that the data consent is not stored across different browser sessions. After closing the browser and going back to the site, the user needs to re-accept the cookies whereas in the past the consent persisted for 365 days.
This adds the expiry time to the data consent cookie and also addresses few other issues regarding this functionality as agreed before:
SameSiteandSecurecookies according to the site's configurationcookie_consentstrings todata_consentandcookie_detailsstrings to justdetailsnot to confuse implementors that the data consent is not only about cookies (this change was agreed today 2022-07-13 in the maintainers meeting)I am also introducing the ability to test site under HTTPS in both tests and the development app in order to test the
secureflag for the cookie correctly.📌 Related Issues
Testing
To test the original issue:
To test the
secureflag under HTTPS (and also theSameSiteflag at the same time):DEV_SSL=true bundle exec rails s(binds the server under HTTPS to port 3443)localhost)https://localhost:3443localhostdomain📷 Screenshots