Build privacy advanced recipe

Created on 25 October 2024, 5 months ago

Problem/Motivation

The advanced privacy should be optional and is only required by sites that will allow their users to create accounts on the site. The recipe will provide this functionality:

  • Configure entity fields by marking those with personal data as sensitive
  • Provide a mechanism that allows authenticated users to request a report about their personal data that's being stored on the site
  • Create such a report and deliver it to the user
  • Provide a mechanism that allows authenticated users to request their personal data being deleted
  • Obfuscate the personal data on request
  • Obfuscate sensitive data during database dumps so that stages or dev environments can work on the basis of sanitized content

Proposed resolution

The module proposed for this recipe is the GDPR module β†’ .

πŸ“Œ Task
Status

Active

Component

Track: Privacy

Created by

πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @jurgenhaas
  • Pipeline finished with Success
    5 months ago
    Total: 926s
    #320514
  • Pipeline finished with Skipped
    5 months ago
    #338381
  • Pipeline finished with Skipped
    5 months ago
    #338430
  • Pipeline finished with Skipped
    5 months ago
    #338435
  • Pipeline finished with Canceled
    5 months ago
    Total: 64s
    #338436
  • Pipeline finished with Skipped
    5 months ago
    #338455
  • Pipeline finished with Skipped
    5 months ago
    #338454
  • πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    This MR is now available for testing by the privacy track team. It only configures the data protection framework in a very basic way.

    What it does so far:

    • A new tab "All your data" is shown in the user profile where users can request a data export or data removal.
    • A task management is available for admins at /admin/config/gdpr/tasks where they can work on those requests. Note: the cron needs to run several times during that process
    • The SQL Dump is being configured to anonymize some data
    • For the reports, removal and SQL dump only these 4 fields in the users_field_data if being anonymized: name, mail, password and initial email.

    This is working fine and if we want to go ahead with this, we can then discuss which other fields needed to be included into the list of sensitive data.

    A downside that comes with this setup: the GDPR config section at /admin/config/gdpr comes with 3 items that we don't need/want but that can't be disabled. Those are: Checklist, Summary, Content Links

    Another issue may be the name GDPR, as it is misleading for most users, in fact, all users outside the EU.

    Still, let's give this a try and then discuss how we want to proceed.

  • πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen
  • πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    Honestly? Can't see a problem here so far. Just had one question.

  • πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts

    One small change requested. The MR is still in draft, though; should that be changed? There also seem to be merge conflicts against 0.x that need to be resolved.

  • πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    @phenaproxima I've provided some more explanation in the thread to the MR.

  • Pipeline finished with Failed
    5 months ago
    Total: 64s
    #343603
  • Pipeline finished with Failed
    5 months ago
    Total: 64s
    #343604
  • Pipeline finished with Failed
    5 months ago
    Total: 647s
    #343609
  • Pipeline finished with Failed
    5 months ago
    Total: 655s
    #343610
  • Pipeline finished with Failed
    5 months ago
    Total: 622s
    #343843
  • Pipeline finished with Failed
    5 months ago
    Total: 627s
    #343844
  • Pipeline finished with Canceled
    5 months ago
    Total: 134s
    #343863
  • Pipeline finished with Canceled
    5 months ago
    Total: 211s
    #343864
  • Pipeline finished with Canceled
    5 months ago
    Total: 63s
    #343868
  • Pipeline finished with Failed
    5 months ago
    Total: 624s
    #343869
  • Pipeline finished with Canceled
    5 months ago
    Total: 64s
    #343893
  • Pipeline finished with Failed
    5 months ago
    Total: 494s
    #343894
  • Pipeline finished with Failed
    5 months ago
    Total: 420s
    #344756
  • Pipeline finished with Failed
    5 months ago
    Total: 423s
    #344755
  • Pipeline finished with Failed
    5 months ago
    Total: 623s
    #344764
  • Pipeline finished with Failed
    5 months ago
    Total: 762s
    #344765
  • Pipeline finished with Failed
    4 months ago
    Total: 1462s
    #351648
  • Pipeline finished with Failed
    4 months ago
    Total: 1547s
    #351649
  • πŸ‡¨πŸ‡­Switzerland boromino

    Although I have rebased the advanced privacy branch upon the latest 0.x branch, the recipe did not apply automatically when running ddev drush si --yes. After ddev composer require drupal/gdpr, ddev recipe-apply recipes/drupal_cms_privacy_advanced and ddev drush cr I was able to find all the above mentioned functionality.

    1. The recipe sets the export directory to private://forget. However, the private path is not set, which leads to the following error:

      file_exists(): Unable to find the wrapper "private" - did you forget to enable it when you configured PHP? GdprTasksSarWorker.php:223
      [notice] The data could not be saved because the destination private://gdpr-exports/9230fad6-f1ef-4f92-ac86-bad2b04a7496.zip is invalid. This may be caused by improper use of file_save_data() or a missing stream wrapper.

      After setting the private file path in settings.php manually, the data export works.

    2. The password hash is exported along with the user data. I'm not sure if that is a good and necessary thing.
    3. It is possible to request and process the removal of user 1 data. This should probably be made impossible.
    4. In Content links config the link to the Privacy policy page from privacy basic recipe could be set by default.

    I think the GDPR module is suitable with a few modifications.

  • Issue was unassigned.
  • Status changed to Needs work 3 months ago
  • πŸ‡ΊπŸ‡ΈUnited States phenaproxima Massachusetts
  • πŸ‡­πŸ‡ΊHungary mxr576 Hungary

    Configure entity fields by marking those with personal data as sensitive

    Would be a real invention! Usernames should be marked as sensitive by default. See: 🌱 [policy] Treat username enumerations as security bugs that require Security Advisories Active

  • πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    @mxr576 thanks for the link to the other issue. I'll also link ✨ Add User Privacy CMS recipe to Basic Privacy recipe Active as that may become part of this advanced recipe.

  • πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    We've discussed this in the privacy track meeting earlier this week, and we've had a chance to talk to @yanniboi who maintains the fields and the task sub-modules in GDPR β†’ .

    We came to the conclusion that it would be great to extract those 2 sub-modules out of the GDPR module and turn them into first class citizens.

    The GDPR-fields module should become a stand-alone module that acts as a kind of API for other use cases. It will allow site builders (or recipes) to define, which fields are sensitive (PII = personally identifiable information), and how that data should be processed in various contexts/use cases. Use cases will be implemented in their own stand-alone modules as well, each of which will then require this API module and build upon it. A potential name for this module could be "PII API".

    Use cases, that should be built on top:

    • Reporting about stored PII data and deleting that data on request: this is what the GDPR-tasks module currently does
    • Altering JSON API responses: this is what the hide username modules are doing in part and should be generalized
    • Altering Drupal's render output to protect PII
    • and maybe others in the future

    This would be a generic approach that breaks components down into logical pieces and ensures maintainability for each of them, as they have clear scopes and APIs so that components don't interfere with others when moving forward.

    Looking for feedback on this approach, so that we can fine tune and then start executing this plan.

  • πŸ‡¬πŸ‡§United Kingdom yanniboi UK
  • πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen
Production build 0.71.5 2024