Store privacy policy acceptance records (#4095)

Author: marcoacierno

backend/api/orders/mutations.py

@@ -2,6 +2,7 @@
 from urllib.parse import urljoin
 
 from api.context import Info
+from privacy_policy.record import record_privacy_policy_acceptance
 from pretix import CreateOrderErrors
 import strawberry
 from django.conf import settings
@@ -60,6 +61,8 @@ def create_order(
         except PretixError as e:
             return CreateOrderErrors.with_error("non_field_errors", str(e))
 
+        record_privacy_policy_acceptance(info.context.request, "checkout-order")
+
         return_url = urljoin(
             settings.FRONTEND_URL,
             f"/{input.locale}/orders/{pretix_order.code}/confirmation",

backend/api/tests/schema/test_create_order.py

@@ -1,3 +1,4 @@
+from privacy_policy.models import PrivacyPolicyAcceptanceRecord
 from billing.tests.factories import BillingAddressFactory
 from billing.models import BillingAddress
 from conferences.tests.factories import ConferenceFactory
@@ -158,6 +159,10 @@ def test_calls_create_order(graphql_client, user, mocker):
     assert billing_address.vat_id == ""
     assert billing_address.fiscal_code == "GNLNCH22T27L523A"
 
+    assert PrivacyPolicyAcceptanceRecord.objects.filter(
+        user=user, privacy_policy="checkout-order"
+    ).exists()
+
 
 @override_settings(FRONTEND_URL="http://test.it")
 def test_handles_payment_url_set_to_none(graphql_client, user, mocker):

backend/privacy_policy/__init__.py

@@ -0,0 +1,6 @@
+from django.apps import AppConfig
+
+
+class PrivacyPolicyConfig(AppConfig):
+    default_auto_field = "django.db.models.BigAutoField"
+    name = "privacy_policy"

backend/privacy_policy/apps.py

@@ -0,0 +1,28 @@
+# Generated by Django 5.1.1 on 2024-09-30 23:48
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='PrivacyPolicyAcceptanceRecord',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('accepted_at', models.DateTimeField(auto_now_add=True)),
+                ('ip_address', models.GenericIPAddressField()),
+                ('user_agent', models.TextField()),
+                ('privacy_policy', models.CharField(max_length=1024)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]

backend/privacy_policy/migrations/0001_initial.py

@@ -0,0 +1,9 @@
+from django.db import models
+
+
+class PrivacyPolicyAcceptanceRecord(models.Model):
+    user = models.ForeignKey("users.User", on_delete=models.PROTECT)
+    accepted_at = models.DateTimeField(auto_now_add=True)
+    ip_address = models.GenericIPAddressField()
+    user_agent = models.TextField()
+    privacy_policy = models.CharField(max_length=1024)

backend/privacy_policy/migrations/__init__.py

@@ -0,0 +1,18 @@
+from django.http.request import HttpRequest
+from api.utils import get_ip
+from privacy_policy.models import PrivacyPolicyAcceptanceRecord
+
+
+def record_privacy_policy_acceptance(
+    request: HttpRequest, privacy_policy: str
+) -> PrivacyPolicyAcceptanceRecord:
+    user = request.user
+    ip = get_ip(request)
+    user_agent = request.headers.get("User-Agent", "")
+
+    return PrivacyPolicyAcceptanceRecord.objects.create(
+        user=user,
+        ip_address=ip,
+        user_agent=user_agent,
+        privacy_policy=privacy_policy,
+    )

backend/privacy_policy/models.py

@@ -0,0 +1,25 @@
+import time_machine
+from django.utils import timezone
+
+from privacy_policy.record import record_privacy_policy_acceptance
+from users.tests.factories import UserFactory
+
+
+def test_record_privacy_policy_acceptance(rf):
+    request = rf.get("/")
+    request.user = UserFactory(username="testuser", password="testpassword")
+    request.headers = {
+        "User-Agent": "Test User Agent",
+        "x-forwarded-for": "192.168.0.1",
+    }
+
+    accepted_at = timezone.now()
+
+    with time_machine.travel(accepted_at, tick=False):
+        record = record_privacy_policy_acceptance(request, "test-privacy-policy")
+
+    assert record.user_id == request.user.id
+    assert record.accepted_at == accepted_at
+    assert record.ip_address == "192.168.0.1"
+    assert record.user_agent == "Test User Agent"
+    assert record.privacy_policy == "test-privacy-policy"