WeStandWithUkraine

4 years ago
4
Topic

Hi

Here is a trick for GDPR : every user who fills a form should be able to view, edit and delete his submission but what about guest users ? same thing !

the problem is that since he is not registered how can he returns to the site and view his "content' ? the only way we found is to send him an url to the form in the email he receives after the submission then if the contact form is /contact for example he can return to HIS form with /contact?id=xxx there we add a FREE Button with a delete behaviour and a MODIFY workflow restriction so that he can delete his submission if he wants to BUT the url I wrote (/contact?id=xx) is much too easy to fake !!!

So anyone could easily find and edit the submission of everyone else! and the GDPR texts explicitely claim that NO IDs linking to personnal datas should be found in the url !!! there we have a problem :(

So back to the starting point: how can we grant unregistered users the ability to edit his submission ?

rsjoomla writes HERE that the solution is to NEVER store the submissions of unregistered users. it means your contact form would never produce contents but I find this solution very disturbing

I also tried to generate a random uniq ID (with THIS plugin) in the form, create a Seblod search list that would take this GDPR uniq ID to find the content and display the form.

It works but when the form is displayed the URL is reverted back to a generic url with the content ID !!!

Any idea please ?

thanks

cyril

Get a Book for SEBLOD
546 Posts
joomleb
2 years ago
0
Level 1

Hi Cyril,

Please, Did you find any solution about ?

Have you yet added it to the SEBLOD GitHub account ?

2 years ago
0
Level 1

HI Joomleb

No real solution here except avoiding to register the submission for guest users. At the end it may be the more practical solution

Cyril

2 years ago
0
Level 1

Hi,

"every user who fills a form should be able to view, edit and delete his submission but what about guest users ? same thing !"

Nothing written exactly like this into the GDPR. 

View is about the right to access the data. It's never said you must provide an interface to do this. So for a public form we recommend to send all data submitted by the user into the email confirmation sent after the form submission.

Edit is about the right to modify. It's never said you must provide an interface to do this. You can invite the user to contact you to do this. 

Delete is directly a right (about to be forgot). Same as the right to modify, you can invite the user to contact you to do this.

You must not forgot other rights such as you must be prepared to send data that you have concerning a person, to stop any process using these data... But again it's never written you must provide an interface about this.

Thanks.

546 Posts
joomleb
2 years ago
0
Level 1

Hi guys,

Yes, I'm agree. I add, in first of all the "View/Edit/Delete" right should be generally specified into the Privacy Policy statement before then each public forms.

But also I remember that "Expiration datas" is part of GDPR, it should be explained into the Privacy policy, This is why the "System - Privacy Consent" has the Expiration tab.

Please,

- #590 Compatibility with Joomla 3.9 privacy suite - Consent Request

- Integration with Joomla Privacy Tools Suite

Can you help to solve these / to find a workaround ?

Get a VIP membership