Greetings all! Our consortium, which has libraries and patrons subject to the EU's GDPR, has published a new privacy policy that was created and tested with the new Pages feature in Koha 22.11 (on our development server) and then copied to the old Pages/CMS modification in Koha 22.05 (on our production server). On each:
- The system preference "PrivacyPolicyURL" was set to the full URL for a page hosted by the same server, "opac-page.pl?page_id=xx" (22.11) or "...pages.pl?p=privacy_full" (22.05). - The system preference "GDPR_Policy" was set to "enforced". We observed something interesting: - On 22.11, the consent page and policy link worked as intended. A patron who had not yet consented to the policy was presented with the consent page, and clicking the policy link opened the policy page in a new tab. - On 22.05, the consent page and policy link did NOT work as intended. The patron was presented with the consent page as expected, but the policy link opened a new tab that loaded the consent page again. After reviewing the situation for a while, I formed the following hypotheses: - Koha 22.11 is NOT actually behaving as designed, because having GDPR_Policy set to "enforced" should cause access to all content served by Koha to be blocked until the patron has consented to the privacy policy. However, access to content served by the new Pages function is NOT blocked. - Koha 22.05 is actually behaving as designed, because access to all content served by Koha is indeed being blocked. The "workaround" for Koha 22.05 is straightforward: - I copied the HTML content of the relevant page, formatting included, to an HTML file served directly by Apache and not by its Koha processes, which means that it is not subject to blocking. - Any other location not served through Koha should also work. Questions and Thoughts: - Can folks out there in the Koha community confirm the respective behavior in Koha 22.05 and Koha 22.11? - Can someone among the development crew clarify the designed behavior and state whether or not a bug exists? - The advantage of creating the privacy policy in the new Pages feature is that it allows for translations, which is somewhat important to our multilingual consortium. - Given the above, could an exception to blocking due to the enforcement of GDPR_Policy be created for a page that would be marked somehow as being associated with the policy? Thank you all for reading, and special thanks in advance to those who give input! Regards, David Liddle System Administrator david.lid...@wycliff.de (but not for this list) Wycliff e.V., https://wycliff.de Seminar für Sprache und Kultur, https://spracheundkultur.org Internationales Tagungszentrum Karimu, https://karimu.de _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha