Require existing users to accept the ToS

[joseepoirier]

Upon their first log in to the platform, the frontend checks the /users/me endpoint to see if they have any ToS remaining that they need to agree to. If so, a modal pop ups to ask the user to agree to the ToS. If they decline, the user is brought back to the landing page. If they agree, the backend records the name and ID of the ToS version with a timestamp and the user is brought to the home page.

[annavik]

Got it! In order to implement this, we first need the terms of service to exist somewhere and for backend to be able to store and return the this info. Marking as blocked for now.

[joseepoirier]

The final copy for the ToS is coming: https://github.com/RolnickLab/ami-admin/issues/22

[mihow]

Notes from discussion between @mihow and @annavik

OPTIONS

1. Enforce permissions / terms based on check to user role

Data manager
Project administrator
Species validator
Data consumer

CAVEAT: roles are based on project, so a user can upload their own data to their own new project, even if they don't have access to upload data to a major/existing project.

2. Enforce based on specific action permission

Associate Terms with Permissions. So to perform an action, you need the permission to perform that action on that object (which is already half-implemented). Now for that permissions check, we could also check to see if all associated Terms have been accepted.

To process this image, you need to belong to Project X and have accepted Term X

3) Or all users need to accept all terms

Suggestion: go with option #3, but re-state terms that are specific to certain contexts.

Tasks

FRONTEND

New page type that is not a modal

New page for viewing all terms, with linkable headers
https://app.preview.insectai.org/terms#one

Loop over terms, show if user has agreed and when

New page for cookie / GDPR info
https://app.preview.insectai.org/terms/

can we make each GDPR clause a term as well? to explore in #350

Or just a static page?
https://app.preview.insectai.org/pages/gdpr

On periodic checks to /me for logged-in state, also check if the user has agreed to all terms. If not, show modal with terms that need to be agreed to.

BACKEND

• Add new model for Terms (field for when the user agreed, field for when the term was created or modified, field for name & short description, field for slug/key to reference in frontend)
• Add new endpoint - view all, and agree-to endpoint
• Add terms data to the current user
• Add terms check to all permission checks on the backend. Anything that requires a logged-in state needs to also check all of the terms.

[joseepoirier]

Thank you so much for fleshing this out together. 🙌🏻

Option # 3 it is. 🎉 (This is how Legal was envisioning it, too.)

[annavik]

For public launch, we decide what is important is to have Terms of Service visible on the site and to inform users about this. This was fixed in #550.

Closing this and adding a post launch follow up task #556.