✨ Add GDPR-Export for user #2444
Conversation
app/Models/User.php
Outdated
| $personalDataSelection | ||
| ->add('user.json', $user) | ||
| ->add('statuses.json', $this->statuses()->with('tags')->get()) | ||
| ->add('notifications.json', $this->notifications()->get()->toJson()) | ||
| ->add('likes.json', $this->likes()->get()->toJson()) | ||
| ->add('social_profile.json', $this->socialProfile()->with('mastodonserver')->get()) | ||
| ->add('event_suggestions.json', EventSuggestion::where('user_id', $this->id)->get()->toJson()) | ||
| ->add('events.json', Event::where('approved_by', $this->id)->get()->toJson()) | ||
| ->add('webhooks.json', $webhooks) | ||
| ->add( | ||
| 'webhook_creation_requests.json', | ||
| WebhookCreationRequest::where('user_id', $this->id)->get()->toJson() | ||
| ) | ||
| ->add('tokens.json', TokenController::index($this)->toJson()) | ||
| ->add('ics_tokens.json', $this->icsTokens()->get()->toJson()) | ||
| ->add( | ||
| 'password_resets.json', | ||
| DB::table('password_resets')->select(['email','created_at'])->where('email', $this->email)->get() | ||
| ) | ||
| ->add('apps.json', $this->oAuthClients()->get()->toJson()) | ||
| ->add('follows.json', DB::table('follows')->where('user_id', $this->id)->get()) | ||
| ->add('followings.json', DB::table('follows')->where('follow_id', $this->id)->get()) | ||
| ->add('blocks.json', DB::table('user_blocks')->where('user_id', $this->id)->get()) | ||
| ->add('blocked_by.json', DB::table('user_blocks')->where('blocked_id', $this->id)->get()) | ||
| ->add('mutes.json', DB::table('user_mutes')->where('user_id', $this->id)->get()) | ||
| ->add('muted_by.json', DB::table('user_mutes')->where('muted_id', $this->id)->get()) | ||
| ->add('follow_requests.json', DB::table('follow_requests')->where('user_id', $this->id)->get()) | ||
| ->add('follows_requests.json', DB::table('follow_requests')->where('follow_id', $this->id)->get()) | ||
| ->add('sessions.json', $this->sessions()->get()->toJson()) | ||
| ->add('home.json', $this->home()->get()->toJson()) | ||
| ->add('hafas_trips.json', DB::table('hafas_trips')->where('user_id', $this->id)->get()) | ||
| ->add('mentions.json', Mention::where('user_id', $this->id)->get()->toJson()) | ||
| ->add('roles.json', $this->roles()->get()->toJson()) | ||
| ->add( | ||
| 'activity_log.json', | ||
| DB::table('activity_log')->where('causer_type', get_class($this))->where('causer_id', $this->id)->get() | ||
| ) | ||
| ->add('permissions.json', $this->permissions()->get()->toJson()); |
There was a problem hiding this comment.
Ich finde es langfristig gesehen etwas kritisch, wenn wir einfach DB Queries raw ausspucken. Später hinzugefügte Columns, die nicht exposed werden sollten (z.B. irgendwelche Keys o.ä.) werden hier sicher vergessen. Wäre es nicht sinnvoller das noch einmal durch die Resourcen zu jagen?
There was a problem hiding this comment.
Alternativ einfach ein ->select([...]) mit den gewünschten Columns, damit nichts falsches exposed wird.
# Conflicts: # .idea/php.xml # lang/de.json # lang/en.json # resources/vue/components/NotificationEntry.vue
# Conflicts: # .idea/php.xml # .idea/trwl.iml # app/Models/User.php # composer.lock
|
|
||
| $user = $request->user(); | ||
|
|
||
| if ($user->recent_gdpr_export && $user->recent_gdpr_export->diffInDays(now()) < 30) { |
There was a problem hiding this comment.
Könnte man ggfs. mit dem Laravel Ratelimiter lösen.
| $personalDataSelection | ||
| ->add('user.json', $user) | ||
| ->add('notifications.json', $data->notifications()->get()->toJson()) | ||
| ->add('likes.json', $data->likes()->get()->toJson()) | ||
| ->add('social_profile.json', $data->socialProfile()->with('mastodonserver')->get()) | ||
| ->add('event_suggestions.json', EventSuggestion::where('user_id', $data->id)->get()->toJson()) | ||
| ->add('events.json', Event::where('approved_by', $data->id)->get()->toJson()) | ||
| ->add('webhooks.json', $webhooks) | ||
| ->add( | ||
| 'webhook_creation_requests.json', | ||
| WebhookCreationRequest::where('user_id', $data->id)->get()->toJson() | ||
| ) | ||
| ->add('tokens.json', TokenController::index($data)->toJson()) | ||
| ->add('ics_tokens.json', $data->icsTokens()->get()->toJson()) | ||
| ->add( | ||
| 'password_resets.json', | ||
| DB::table('password_resets')->select(['email', 'created_at'])->where('email', $data->email)->get() | ||
| ) | ||
| ->add('apps.json', $data->oAuthClients()->get()->toJson()) | ||
| ->add('follows.json', DB::table('follows')->where('user_id', $data->id)->get()) | ||
| ->add('followings.json', DB::table('follows')->where('follow_id', $data->id)->get()) |
There was a problem hiding this comment.
Generell: Anstatt direkt Models/Queries auszuspucken lieber durch Ressourcen vorher jagen bzw. plucken? Ich hab etwas Angst, dass wir irgendwann mal ein Feld hinzfügen, dass dann hier vergessen und wir ausversehen irgendeine Datenschutzpanne auslösen, wenn wir Daten von anderen Usern exposen, die wir hier nicht ausgeben sollten.
There was a problem hiding this comment.
"Notiz / Idee: Interface über Models, wo wir eine pro Model zwingend definieren, welche Columns exportiert werden. Dann wird das auch eher gepflegt."
-- @HerrLevin
| use Illuminate\Support\Facades\DB; | ||
| use Spatie\PersonalDataExport\PersonalDataSelection; | ||
|
|
||
| class UserGdprDataService |
There was a problem hiding this comment.
Gerade noch festgestellt: Wenn man die .zip herunterlädt fehlt die Dateiendung. Die Datei heißt einfach nur wie der User. Da sollten wir nochmal schauen.
rather than email, showing bothConfigure Queue to not interfere with backup downtimeIs this still needed?