Fixed Users are able to post new content/update content without accepting terms of service/privacy policy

K

Kirby

Well-known member
Affected version
2.0.6 Beta 1
If users are required to accept new terms, they are still able to update several parts of their profile like signature, location, website, about you and avatar.

This allows them to somewhat bypass new terms without breaking them.

If for example the old terms did allow to put advertising into signatures and the new terms do not allow that, they could, till being under the old terms, edit their signature and put advertising in.

Furthermore, they would also be able to enter PII (location, website) without giving explicit consent to process this data, which might be problematic under GDPR.

Therefore I think that this is a bug and should be changed so they can only remove data but not update or add new data unless they have accepted.
 
It's not really possible to have it work in a conditional way where it's ok to remove, but not add data, unfortunately.

So it's pretty much either all available or all not available. The privacy policy states how to contact the admin/s to remove data so I think just blocking most of the account section is fine.

The only thing we don't block from the next release is the visitor menu (which loads in from account/visitor-menu) and the ability to dismiss notices.
 

Similar threads

S
Cannot reproduce 2.0.6 Beta 1 registration possible without accepting terms and privacy policy.
Replies
5
Views
1K
Sabermaster
S
K
Fixed Logged in users can't access important pages unless they have accepted new privacy policy or terms of service
Replies
5
Views
1K
Chris D
Chris D
Back
Top Bottom