[openstreetmap/openstreetmap-website] GDPR related sign-up changes (#1854)

[Andy Allan]

The CT signup process still works, in that if you still have a non-CT account and try to do things you have to accept the CTs first.

I'm against "re-using" existing code directly. It would be a nightmare if the code is covered in references to the contributor terms, but it had been repurposed to being acceptance of a ToU. For example, you can send messages and still be logged in and all sorts without agreeing to the CTs, but what we're proposing here covers much more of the site (e.g. read-only API requests).

I'd also like to avoid adding a zero hour block to every user - it would certainly pollute the list of user blocks somewhat!

I think what needs some clarity is:

* Do we need to store a confirmation that the privacy policy has been agreed to? Boolean or timestamp?
* How should we handle future privacy policy changes - do we just blank the 'privacy_policy_agreed' column every time we change the policy? Or do we need to track versions and agreements for each version?
* Do we need to handle the API ToU agreement separately, or is there just one agreement to cover both privacy policy and API ToU?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1854#issuecomment-389086298
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20180515/406e489b/attachment-0001.html>