node_agreement allows anonymous users (uid of 0) to sign off on the agreement. After 1 anonymous user has accepted, all anonymous users can access the content without accepting the terms.

IMHO this ability to accept/view the content should be restricted only to authenticated users. Maybe another option to 'allow anonymous views' is necessary, once the 'accept agreement every time' feature is in place.

Comments

infojunkie’s picture

Thanks for your report. Different anonymous users should be required to individually sign the agreement, so that's clearly a bug.

Later, I might add the ability to specify the roles that are required to sign the agreement, among which 'anonymous users' will be present.

d0t101101’s picture

No problem at all, glad to be of help :)

The additional role settings would be great, as some sites might want to allow anonymous user visibility of nodes with an agreement, but I think most would not... It would be virtually impossible to legally enforce an NDA, for example, if an anonymous user accepted it, as all you would have is just their IP address and time.

Please keep up the great work on this module! The functionality of your module is unique, and vital for some types of sites.

Best regards,
.

infojunkie’s picture

Status: Active » Fixed

Fixed in the latest dev. For anonymous users, their signature is remembered in the session. Please try it (12 hours from now) and let me know if it works!

d0t101101’s picture

Will do!

Thank you for the quick response.

Best regards,
.

d0t101101’s picture

Status: Fixed » Active

Hello again,

I tested the latest DEV, and the same issue persists. The details:

Anonymous user on PC A agrees to the terms.
Anonymous user on PC B on a different network/IP can see the contents of the node without agreeing.

Looking at the node_agreement_signature table, Anonymous user on PC A creates an entry for the node with a uid of 0. It seems Anonymous on PC B, or any other anonymous user, is able to use this signature again and again.

I suggest the following:

-Not record a signature for any anonymous user
-Implement the role settings you mentioned above, and default to not allowing anonymous user visibility

Best regards,
.

PS. Recording the IP address to a new field might be a good addition in general, for another layer of individual user identification.

infojunkie’s picture

Can you confirm that your version of node_agreement.module contains the lines:

<?php
     if ($user->uid == 0) { // anonymous signatures are only considered in the current session.
        $node->agreement['signed'] = (boolean)@$_SESSION['node_agreement'][$node->nid];
      }
?>

That's the code used to handle anonymous users separately.

d0t101101’s picture

Hi Kratib,

Sorry for the slow reply, I was out of town. Indeed, my version has the above code, I grabbed the latest dev version before testing on the 22nd.

Best regards,
.

infojunkie’s picture

Issue summary: View changes
Status: Active » Closed (won't fix)

I am officially stopping work on this module.