Making WordPress.org

Opened 4 years ago

Last modified 3 years ago

#5618 accepted enhancement

Require ToS/Privacy at login and record acceptance

Reported by: tellyworth's profile tellyworth Owned by: dd32's profile dd32
Milestone: Priority: high
Component: Login & Authentication Keywords:
Cc:

Description

For legal reasons it is necessary that WordPress.org enforces acceptance of a ToS and Privacy Policy at login, and record the date and version of the policy most recently accepted by each user. This means:

  • The login form will need to include a checkbox such as [ ] I have read and accept the terms of service and privacy policy with appropriate links.
  • Failure to check the box will prevent login.
  • Login sessions should remain capped at 2 weeks to ensure all active users regularly accept new terms.
  • On successful login, a usermeta or similar value should be set recording the timestamp and version of the ToS and Privacy policy documents (perhaps the currently deployed svn rev# for each?)
  • It should probably also record the rev # of the login form and theme, since that may be relevant info.

Attachments (2)

Screen Shot 2021-04-14 at 4.51.53 pm.png (212.3 KB) - added by dd32 3 years ago.
Screen Shot 2021-04-14 at 4.49.11 pm.png (149.2 KB) - added by dd32 3 years ago.

Download all attachments as: .zip

Change History (11)

#1 follow-up: @dd32
4 years ago

The login form will need to include a checkbox such as [ ] I have read and accept the terms of service and privacy policy with appropriate links.

Alternatively:

  • The registration form should have the checkbox
  • The login form should only prompt if the user hasn't reviewed the terms since last update

Perhaps the login validation could be a post-login screen, with a "Yes I agree / No I do not" button instead of a checkbox though.

timestamp and version of the ToS and Privacy policy documents (perhaps the currently deployed svn rev# for each?)

Recording the timestamp that they've agreed to should be enough I think, ie. It's safe to assume that someone's timestamp of 2021-06-01 01:02:03 will indicate that they've agreed to the 2021-05-01 policy, but not the 2021-07-01 version.

Note, that WordPress.org does not currently have a published TOS, this would probably go well with #957

#2 in reply to: ↑ 1 @carike
4 years ago

Replying to dd32:

Alternatively:

  • The registration form should have the checkbox
  • The login form should only prompt if the user hasn't reviewed the terms since last update

I prefer this :) Better user experience, less compliance fatigue, more meaningful interaction.

This ticket was mentioned in Slack in #meta by tellyworth. View the logs.


3 years ago

#4 @dd32
3 years ago

  • Owner set to dd32
  • Status changed from new to accepted

#5 @dd32
3 years ago

In 10889:

Login: Add an interstitial to record ToS/CoC/Privacy policy acceptance upon login, blocking login if not accepted.

This is currently only enabled for super admins while the feature is debugged/finalised.

See #5618.

#6 @dd32
3 years ago

In 10899:

Login: Have users agree to abide by the Privacy Policy (and later, ToS/CoC) when registering.

Enabled for all new signups.
See #5618.

#7 @dd32
3 years ago

In 10905:

Login: Enable the "Do you still agree to the Privacy policy" interstitial for super admins for now.

See #5618.

This ticket was mentioned in Slack in #community-team by tobifjellner. View the logs.


3 years ago

#9 @dd32
3 years ago

In 11329:

Login: Record the last login date.

See #5618.

Note: See TracTickets for help on using tickets.