[policies] Add infrastructure to track user decisions to policies #9818
Conversation
github-actions
bot
added
Language: SQL
skarya22
added
Project: CCNA
There was a problem hiding this comment.
I like the idea of this and did a first pass at skimming it. I think the structure should be reworked.
In addition to the changes requested, on a high level I think it would make sense to have a "Policy" class to group the behaviour together rather than everything being ad-hoc strings and Utility functions and htdocs files.
| exit(0); | ||
| } | ||
|
|
||
| \Utility::saveUserPolicyDecision( |
There was a problem hiding this comment.
I don't know why this would go in the Utility class.. is there any circumstance other than this endpoint where it would be used?
There was a problem hiding this comment.
Yup! Since the policy table can be used to track any User decision, we have a use-case in CCNA where we have a button on a specific page, and whenever a user presses it one of our projects wanted to keep track of that - so we need this function in a place where other projects can use it without having to rewrite it
| @@ -11,6 +11,7 @@ import { | |||
| CheckboxElement, | |||
| ButtonElement, | |||
| } from 'jsx/Form'; | |||
| import {PolicyButton} from '../../../jsx/PolicyButton'; | |||
There was a problem hiding this comment.
Does this need to be done every place that a policy might be added?
If so, I think the dataquery module is also very common, and it's probably more common to require the ToU on login than on request account?
There was a problem hiding this comment.
In that case it could be added to the dashboard module instead in the policies table and then when they login it pops up
There was a problem hiding this comment.
To clarify on this further, the import needs to be done whenever we want a button to open the policy, rather than having it pop-up when the module is opened, or have a button in the Header. Auto pop-up and a header button do not require the PolicyButton, but since on the login page we do not have a header, and do not want it to pop-up immediately on opening LORIS, we need a specialized button. I added it as a jsx component rather than to login module directly because I can imagine a use case where a project may want to have the ability to open the policy again on-click of a button in another module
There was a problem hiding this comment.
I was about to remove the request account Terms of Use feature which is the cause for needing it in htdocs and the PolicyButton.jsx files, but remembered that the entire use case of this for EEGNET is on request account. Can view it at eegnet.loris.ca
| * @return array The policy details | ||
| * @throws \DatabaseException | ||
| */ | ||
| static function getPolicy( |
There was a problem hiding this comment.
This doesn't really belong in Utility. From what I can tell, policies are per module (based on this function signature), so I think it would make sense to have a non-static module method. (It's not clear if policies are enforced per-page or per module, if per page maybe it should be in NDB_Page)
There was a problem hiding this comment.
I can move it to NDB_Page probably
| bool $headerButton = false | ||
| ) { | ||
| $factory = \NDB_Factory::singleton(); | ||
| $DB = $factory->database(); |
There was a problem hiding this comment.
database connections should come from the LorisInstance object
| $DB = $factory->database(); | ||
| // If no policy name is given, we return the latest policy for the module | ||
| if (!empty($policyName)) { | ||
| $policyName = 'AND p.Name = '. $DB->quote($policyName); |
There was a problem hiding this comment.
I don't really understand why some variables are concatenated and some are using prepared statements.
(Prepared statement variables are the better option..)
There was a problem hiding this comment.
If I put $policyName as a prepared statement variable then it would not work when no policyName is provided, right?
| SET FOREIGN_KEY_CHECKS=0; | ||
| TRUNCATE TABLE `policies`; | ||
| LOCK TABLES `policies` WRITE; | ||
| INSERT INTO `policies` (`PolicyID`, `Name`, `Version`, `ModuleID`, `PolicyRenewalTime`, `PolicyRenewalTimeUnit`, `Content`, `SwalTitle`, `HeaderButton`, `HeaderButtonText`, `Active`, `AcceptButtonText`, `DeclineButtonText`, `CreatedAt`, `UpdatedAt`) VALUES (1,'dataquery_example','v1',49,7,'D','By using this Data Query Tool, you acknowledge that you know it is in beta and may not work as expected. You also agree to use it responsibly and not to misuse the data.','Terms Of Use','Y','Terms Of Use','Y','Yes, I accept','Decline','2025-05-28 10:54:21','2025-05-28 10:54:21'); |
There was a problem hiding this comment.
I'm confused by the fact that the example in the database is for the data query tool but the code being changed is for request account
There was a problem hiding this comment.
There are two example policies. The one for the login page is right under this.
The one for dataquery does not require any edits to the module as it is inherited from NDB_Page and will work the same for all pages / modules. So any module just needs to have an entry in policies for it to show up.
I had to make changes to request account to enforce that if there is a policy there it is enforced where you have to view it to request an account
There was a problem hiding this comment.
To clarify this a bit further as well, as mentioned there are two example policies in this PR.
- A pop-up policy for the DQT that both pop-up when the module is opened, but is also re-openable whenever you press on Terms of Use in the header while the module is open. This behaviour is easily reproducible in any module just through sql.
- A policy that is tracked on the login page when a user is requesting an account. It's a different use case than the regular pop-up policies since we need a button in request account rather than having it automatically pop-up or having a button in the header. So for this one we need to manually add the PolicyButton, versus the other implementation where the policy is enforced / added through SQL.
|
@jeffersoncasimir let me know if you have time for this one, else re-assign it to me. |
|
@regisoc I don't think this is ready for review. Not passing tests, no changes since previous review and likely needs rebase |
skarya22
added
the
State: Needs work
|
@jeffersoncasimir sorry about that -- you're right it went off my radar when I went on vacation. I'll fix it up and then request a review! Thanks |
…nt_Tracking_Infrastructure
Brief summary of changes
If there is a policy for the login module
If there is a policy for a non-anonymous module, and HeaderButton = 'Y'
Testing instructions (if applicable)
SELECT * FROM POLICIESselect * from user_policy_decisionLink(s) to related issue(s)