Notifications
Clear all

wpForo 1.x.x [Closed] Privacy & rules check boxes not validated

4 Posts
2 Users
1 Reactions
1,590 Views
Posts: 23
Topic starter
(@mistral)
Eminent Member
Joined: 6 years ago

Hi Guys

The various check boxes which can be enabled on the registration form....

I Agree to Receive an Email Confirmation
I Agree to Forum Privacy Policy
I Accept Forum Rules

None of these checkboxes are validated server side, so if a browser doesn't support the 'required' html tag or a user removes it, you can submit the form without these checked.

This is a pretty serious issue as it allows GDPR 'must-tick' boxes to be avoided and users would be sent emails without the necessary record of acceptance.

Solution: Any fields which are added in a form as 'required' should be validated server side.

I appreciate this is not an easy fix, but it is key to ensuring the correct legal position with GDPR.

Regards

Mistral

3 Replies
Robert
Posts: 10591
Admin
(@robert)
Support Team
Joined: 9 years ago

The "require" attribute is supported on all browsers, even it's supported on IE 10.

  • Firefox: from 6+ (current version 66.x.x)
  • Safari: from 4+ (current version 12.x.x)
  • Chrome: from 6+ (current version 72.x.x)
  • Opera: from 10.6+ (current version 58.x.x)
  • IE: from 10+ ( IE 11 is very rare, currently it's the Edge 42.x.x)
  • Android: from 2.3 (current version 19.x.x)

 

So the versions from where it's started to be supported is so old then you almost have no chance to find them. We don't support older browser versions, it's out of all rules for sure.

user removes it, you can submit the form without these checked. This is a pretty serious issue as it allows GDPR 'must-tick' boxes to be avoided and users would be sent emails without the necessary record of acceptance.

User removes it? This checkbox is not designed to save or transfer data, so you don't need to worry. If user is a hacker and he/she removes the checkbox it doesn't mean he/she didn't accepted rules. Removing checkbox cannot be an argument to say "I registered without accepting". This is an illegal action so it can't make any problem with GDPR. So, the idea is this:

1. The checkbox exists.

2. It doesn't allow to submit form without accepting, because it's a required field.

3. So there is no any legal way to submit this form legally without checking the checkbox, and this is truth.

 

And yes, there maybe some user, who uses IE 5 on Windows 2000. But I think the GDPR low will not judge you for this. You can easily say all web softwares don't support this browser version...

 

 

2 Replies
(@mistral)
Joined: 6 years ago

Eminent Member
Posts: 23

Hi Robert

Thanks for the detailed response. I agree that it would be an illegal use of the form or unlikely the browser won't support 'required'.

I'm also not qualified to argue about GDPR's position where you 'tried' but failed to get consent. Lets say you are right about that...but what if we consider some different examples.

Where business or other legal requirements are a dealbreaker eg getting 18+ age consent for example, then we must be able to reject forms which have been tampered with. In my case the GDPR consent is less important than other fields which are related to protecting vulnerable individuals. Missing data could have serious ramifications.

Debating aside, in its current state, the lack of server side validation on these fields would fail a basic penetration test, which we will be subjected to. Thankfully I can hook into a filter and apply my own checks to plug that gap. Something like this...

add_filter('wpforo_create_profile', function ($user_fields) {
if( isset($_POST['wpfreg']) && !empty($_POST['wpfreg'])){

if (WPF()->tools_legal['rules_checkbox']==1) {
if (!isset($_POST['legal']['rules']) || ($_POST['legal']['rules']==0)) {
$user_fields['error'] = TRUE;
WPF()->notice->add('Rules checkbox not complete.', 'error');
return false;
}
}
if (WPF()->tools_legal['checkbox_forum_privacy']==1) {
if (!isset($_POST['legal']['gdpr']) || ($_POST['legal']['gdpr']==0)) {
$user_fields['error'] = TRUE;
WPF()->notice->add('Privacy policy checkbox not complete.', 'error');
return false;
}
}


}
return $user_fields;

});

One thing I have not been able to locate, is where you store the legal checkbox values. I am unable to find them in the database. Please can you point me in the right direction?

 

Thanks and regards

Mistral

(@mistral)
Joined: 6 years ago

Eminent Member
Posts: 23

Hi Robert

Reading your response again, I see you already told me:

"This checkbox is not designed to save or transfer data"

Unfortunately in the UK this means I would not be compliant, as I am required to record the consent and timestamp it in a way that can be audited.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/consent/how-should-we-obtain-record-and-manage-consent/

I have therefore rolled my own and save it in the user_meta table where we can get it at a later time if the need arose:

   // save gdpr checkbox data
add_action( 'wpforo_create_user_after', function ($data) {
if (isset($data['legal'])) {
$data['legal']['date']=time();
update_user_meta($data['userid'],'wpforo_legals',$data['legal']);
}


} );

 

Regards

Mistral