Coder Social home page Coder Social logo

ujamii / ujamii-dsgvo Goto Github PK

View Code? Open in Web Editor NEW
3.0 4.0 4.0 72 KB

DSGVO compliance extension for TYPO3

License: MIT License

TypeScript 29.83% PHP 55.11% HTML 13.42% JavaScript 1.64%
google-analytics typo3-backend cookie-consent cookie typo3 dsgvo composer-package

ujamii-dsgvo's Introduction

ujamii-dsgvo

Packagist

Data privacy/DSGVO compliance extension for TYPO3

  1. Version matrix
  2. Description
  3. Installation
  4. Usage
  5. Extending the database cleaning
  6. Credits

Versions

ujamii_dsgvo TYPO3
<= 1.0 >= 8.7 <= 9.5
>= 2.0 >= 9.5 <11
>= 3.0 (planned) >= 11

Description

On 25th of May 2018 the new laws regarding data privacy protection will be in place. With fines up to 20 Mio. €, or 4% of global revenue for international corporations, every organization (commercial AND non-commercial) operating in the European Union must comply with the regulations described in the linked documents.

For TYPO3 websites this has several implications:

  • private data in the database needs to be deleted (instead of setting deleted=1)
  • transmissions of the data to the webserver or a mail service needs to be encrypted
  • imprint and data privacy information needs to be on separate website (at least in Germany)
  • users must be notified about permanent cookies and have a possibility to opt out for tracking services
  • ...

This extension aims to help identify possible issues as well as perform regular tasks like cleaning up the database and delete "deleted" records as well as older data submitted in forms.

Links

Installation

  1. Get the files
    1. install via composer: composer require ujamii/ujamii-dsgvo
    2. install via archive: Download and extract in typo3conf directory, rename folder to ujamii_dsgvo
  2. activate the extension in the backend (may need to clear the autoloading cache
  3. a new submodule "DSGVO" in the main module "web" will appear

Usage

  1. Data cleaning
  2. DEPRECATED! Cookie consent
  3. Opt Out for Cookies
    1. Google Analytics
    2. Matomo (Piwki)

Modes of operation

The extension can count, anonymize or really delete records in the database. The backend module uses the select mode to display the overview. With the two buttons below the table overview, you can start the process of overwriting the records with dummy data (anonymization) or deleting.

Deleting records may be harmful for the data integrity as TYPO3 does not use constraints on database level by default. Thus, the delete mode is NOT the default mode! If you really want to delete the records, use this mode/button explicitly. Please be aware, that if you add more tables to the config, the anonymization mode will do nothing as long as there is no anonymize part set! Also, you have to care for the correct data format yourself. Writing wrong data types in the field = value list may lead to errors. The anonymization mode also writes to the tstamp and crdate fields (if configured in the TCA). The new value of those fields will be 0. This value is also the indicator that those rows have already been handled. Thus, rows with tstamp = 0 AND crdate = 0 will not be counted/handled. If you create records from outside the TYPO3 datahandler yourself, please check those fields are not 0 after your database write.

For more flexibility, the values for overriding data in the database are configured via PageTS. So if you want to add your own table, just add the anonymize part and the extension will care for your data as well.

In the TYPO3 backend

Click on the module icon in the main backend menu (inside "web"). You will see an overview for each configured extension and database table. Green rows mean nothing to delete, red rows mean something would be deleted/anonymized if you click the red "delete" or the orange "anonymize" button at the bottom of the page. The amount of affected rows is also shown on the overview page.

As CommandController on the shell

A call like vendor/bin/typo3cms cleanup:cleandatabase --page-uid=1 --mode=select will output something like:

2018-04-06 17:27:01
FALSE means Extension not installed, integer is amount of affected records.
array(5 items)
	core => array(2 items)
	   fe_users => 0 (integer)
	   be_users => 0 (integer)
	powermail => array(1 item)
	   tx_powermail_domain_model_mail => 0 (integer)
	formhandler => FALSE
	tt_address => FALSE
	comments => FALSE

Possible values for the --mode= parameter are:

  • select (just counts rows, does no alter the database)
  • anonymize (overwrites rows with configured values, see pagets.ts)
  • delete (does what it says, really DELETEs the rows from the database)

Extend the database cleaning

To extend the database cleaning which could be done in the backend or via CLI/Scheduler, you just need to write some typoscript and add it into the pageTS of your website.

You can add several tables, grouped by extension. Starting level is module.tx_ujamiidsgvo_dsgvocheck.settings.db and the next level is the extension name (e.g. powermail) and then the table name.

The option allDeleted can be 0 (default) or 1. If set to 1, all deleted=1 records in this table will be used on every run of the process. The delete field name is read from the TCA.

Setting the andWhere option will limit the rows in the database which are covered in the process. So if you leave this empty ALL THE RECORDS IN THIS TABLE WILL BE HANDLED!!! So you better think about it beforehand ;-)

Example for powermail extension:

module.tx_ujamiidsgvo_dsgvocheck {
    settings {
        db {
            powermail {
                tx_powermail_domain_model_mail {
                    allDeleted = 1
                    andWhere = crdate < UNIX_TIMESTAMP(DATE_SUB(now(), INTERVAL 6 MONTH))
                    anonymize {
                        sender_name = anonymized
                        sender_mail = anonymized
                        //...
                    }
                }
            }
        }
    }
}

To see which tables are covered by default, take a look into the pagets.ts. You may skip the anonymize part completely if you only want to really delete records for a certain table.

DEPRECATED! Cookie consent

This feature is deprecated and will be removed in the next major version! If you need cookie management in TYPO3, use something like Wacon Cookie Management.

If you use cookies on your website, you will at least have to notify your users and provide an opt-out to cookies that are not essential to the website/service itself and/or contain some sort of private information of the user. Sadly, even dynamic IP addresses are considered a private value of information (at least in Germany).

So utilizing a third party ready-to-use solution may be enough for you. This extension provides an example based on cookieconsent.insites.com. To use it in your TYPO3 project, just copy the partial template. to your project partial path and then include it in your fluid template like this:

<f:render partial="Frontend/CookieConsent" />

If you want to directly use the example, just add the partial folder to your fluid paths:

10 = FLUIDTEMPLATE
10 {
	file = ...
	partialRootPaths {
		0 = ...
		1 = EXT:ujamii_dsgvo/Resources/Private/Partials/
	}
	layoutRootPaths.0 = ...
}

To configure the target page, just set page.privacyInfo = xyz in your typoscript constants, where xyz is the uid of the page. If you want to change how this cookie consent is included, have a look at the setup.ts

Opt Out for Cookies

Google Analytics

To opt out for tracking cookies, you need to add some lines of JavaScript code and provide a link or button for the user which triggers the Opt Out functionality. In the TYPO3 backend, this could easily done by creating a new content element on the privacy information page. Add a new element of type "HTML" and paste something like the example below: (assuming using Bootstrap CSS)

<a href="javascript:gaOptout();window.alert('Tracking has been disabled.');" class="btn btn-danger">I do not want to be tracked</a>
<a href="javascript:gaOptout();window.alert('Tracking wurde deaktiviert.');" class="btn btn-danger">Ich will nicht getrackt werden</a>

You may want to add a more detailed description like:

You can deactivate Google Analytics tracking. To deactivate it, please click the button below. A cookie will be created in your Browser. If it is set, Google Analytics will no longer log any data.

or in German:

Sie können das Web-Tracking von Google Analytics abschalten. Klicken Sie dazu auf den unten stehenden Button. Es wird dann ein Cookie in Ihrem Browser gesetzt. Wenn der Cookie erstellt wurde, wird Google Analytics keine Daten mehr erheben.

Matomo (formerly Piwik)

Matomo provides a ready-to-use snippet directly inside the tracking application itself, so just follow the instructions on their website and you're done.

TODOs / Known issues

Have a look at the issues list on GitHub.

Icon credits

Icon downloaded from https://www.flaticon.com/free-icon/database-protection_1825

Icons made by Freepik from www.flaticon.com is licensed by CC 3.0 BY

ujamii-dsgvo's People

Contributors

marionitschke avatar mgrundkoetter avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

janmaennig mobasoft marionitschke seanpm2001

ujamii-dsgvo's Issues

Anonymization instead of deletion

It would be very handy for further data integrity, to just overwrite database records with dummy data instead of really deleting the records from the database. This could be configured in the TS settings for each table like fieldname = dummyvalue. It should also be possible to set whether overwriting or deleting should be done on a per-table basis. Deletion should then not be default any more for data integrity reasons.

Add checks for the frontend of the website

Add a crawler like guzzle to really check the frontend of the website for several things:

  • SSL secured connection if forms are used
  • are permanent cookies used for tracking services like GA, etracker, piwik a.s.o.

This could be done as a service which can then be called in the backend module, from the cli or elsewhere.

Checks are skipped if extension not installed

Right now, it is checked whether the configured extension is installed, before the db check is done. This may lead to existing records in the db which will not be found just because the "owning" is no longer installed. So as an enhancement, the check for table existence should be done anyway.

Handle linked records correctly

linked records (FAL, categories, ...) are ignored as the deletion process does it directly in the database, not via extbase models.
They should not be deleted by default, but maybe an option to also handle (anonymize/delete) the linked records in specific fields may be useful.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.