fix: add legal links & cookie consent

NOTE: cookie consent dialog is not yet activated

Makefile

@@ -44,10 +44,22 @@ openapi-schema:
 	npx openapi -i schema.json -o src/typings/api/
 	rm -f schema.json
 
+.PHONY: setup
 setup:
 	poetry install
 	yarn install
 
+.PHONY: clean
+clean:
+	rm -Rf dist/*
+	rm -Rf build/*
+
+.PHONY: build
+build:
+	yarn build
+	cp -R src/assets/ build/assets/
+	./manage.py collectstatic --no-input
+
 docker-image:
 	docker build --build-arg GIT_SHORT_SHA=$(GIT_SHORT_SHA) -f ./docker/Dockerfile -t $(DOCKER_TAG):latest .
 

content/legal/dpp-en.md

@@ -0,0 +1,127 @@
+[TOC]
+
+For the Open Broadcast Platform to be used according to its core objectives and purpose, the Licensee (digris AG) must collect, use and make available to other Users personal information by Users. digris AG treats personal information by Users confidentially, does not disclose it to third parties outside the User community and conducts all its business in compliance with Swiss and European Data Protection laws, [DSG](https://web.archive.org/web/20101120160721/http://www.admin.ch/ch/d/sr/c235_1.html), [VDSG](https://web.archive.org/web/20101120160721/http://www.admin.ch/ch/d/sr/c235_11.html) and DSGVO/GDPR.
+
+This is how we use your personal information:
+
+1 General
+---------
+
+Personal information (hereinafter also “information”) is all data and information relating to an identified or identifiable person (such as for example name, address, phone number, date of birth, e-mail address as well as other data and information which you share or impart to us, in particular when registering, subscribing to the newsletter or using our platform.
+
+“Processing” is any operation with personal data, such as in particular the collection, storage, administration, use, evaluation, transmission, disclosure or deletion.
+
+Your information is solely used for the purposes communicated in the present Data Use Policy. digris AG takes the necessary measures to protect personal information against loss, theft and misuse.
+
+2 What personal information is collected and processed?
+-------------------------------------------------------
+
+digris AG collects information in different ways and at different opportunities. Some personal information is collected on your registration when you fill in your User profile, including name, details needed in context with the Open Broadcast Platform, private or business contact details or an IBAN (International Bank Account Number). The provision of most information is optional. Obligatory details necessary to proceed are asterisked (\*).
+
+digris AG conducts internal surveys on User activity, based on the information available to us through your registration and from our server log files. These surveys are comprehensively compiled and analyzed, and they are especially used to find and sanction any type of misuse of the Platform.
+
+Additionally, digris AG uses an implemented mechanism to monitors if the number of downloaded files is proportionate to produced media contributions or programs.
+
+Information practices by third parties with a link to the Open Broadcast Platform, or third parties whose link is accessible on our internet portal are not part of this Data Use Policy.
+
+3 For what purposes do we collect personal information?
+-------------------------------------------------------
+
+digris AG collects and uses User information in order to:
+
+*   Limit access to the Platform.
+*   Enable media operations, i.e. enable Authors (active Users) to produce radio programs interactively and collaboratively, and to efficiently find required resources (labor or equipment).
+*   \>digris AG collects personal information for the purposes of identification, media productions, and marketing (sending newsletters or one-off emails in the context of special events as part of media production).
+*   Personal information is only used for publication in the editorial section of periodically published media. No data is passed on to third parties without the knowledge of the person concerned (Art. 11 a Abs. 5 lit c. [DSG](https://web.archive.org/web/20101120160721/http://www.admin.ch/ch/d/sr/235_1/a11a.html)).
+
+4 Cookies
+---------
+
+Based on its legitimate interests, digris AG uses Google Analytics, a web analytics service by Google LLC (“Google”). Google uses cookies, i.e. text files saved on the User’s terminal device. Information regarding use of the online service, as generated by cookies, are then transmitted to a Google server in the USA and stored there.
+
+Google will use such information on our behalf in order to evaluate the use of our online service, to generate reports regarding activities within our online service and to provide further services to digris AG regarding the use of our online services and of the internet.
+
+We only use Google Analytics with active IP-anonymisation. Thus, the IP addresses of Users in Switzerland, in the EU or in EEA countries are abbreviated by Google.
+
+By changing the settings of their browser software, Users can prevent the retention of cookies. Further, Users can prevent the transmission to Google of the information generated by cookies, as well as the processing of such information by Google, by downloading and installing the browser-plugin available here: [https://tools.google.com/dlpage/gaoptout?hl=en.](https://tools.google.com/dlpage/gaoptout?hl=en).
+
+Alternatively, you can prevent the collection of your information by Google Analytics on this website by clicking on this link: .By using this link, you download an “opt-out-cookie”, provided the settings in your browser allow for the download of cookies. If you periodically delete your cookies, this link will have to be used upon every visit to the website.
+
+Please use the following link to obtain further information regarding data processing by Google, settings and opt out: [https://support.google.com/analytics/answer/6004245?hl=en.](https://support.google.com/analytics/answer/6004245?hl=en) The retention period for user and event history data is 14 months.
+
+5 What information is passed on to third parties and for what purposes?
+-----------------------------------------------------------------------
+
+By accepting our Terms and Conditions, every User explicitly agrees that certain personal information is passed on to third parties and thus to other countries. We differentiate between the following:
+
+*   Details marked "private" are not passed on to third parties.
+*   Details marked "only for logged-in Users" are passed on to other Users on the Platform for the purpose of media production.
+*   Details marked "public" are publicly accessible and can be accessed in other countries.
+
+Beyond the above, digris AG does not pass on any other information without the explicit consent by the person concerned.
+
+However, digris AG reserves the right to process information and personal data and to disclose it to the relevant civil authorities and law enforcement agencies, in order to satisfy the requirements of the applicable law, directives, court proceedings or criminal prosecution.
+
+6 How can Users select how their information is used?
+-----------------------------------------------------
+
+If digris AG introduces new uses of personal information, it notifies the User by email. If Users do not agree to it, they can object by writing an email to [[email protected]](mailto:[email protected]).
+
+7 Based on which legal rules is personal information processed?
+---------------------------------------------------------------
+
+digris AG processes personal information in accordance with applicable data protection legislation.
+
+In cases where consent has been obtained, the processing of information is based on such consent. This applies, in particular, to newsletter subscriptions or to the creation of a user profile.
+
+Personal data will also be processed based on digris AG’s legitimate interests. This includes, in particular, information processing for the purpose of the operation of the Platform.
+
+8 Do Users have the option to amend, update and delete information?
+-------------------------------------------------------------------
+
+Every User can edit his or her account details anytime, using the relevant login and password. Please contact [[email protected]](mailto:[email protected]) if you want to close your account or if you have any other problems.
+
+9 Retention period
+------------------
+
+digris AG will only use and store information for the period required by the purpose of processing or as permitted by law. Information held by digris AG in connection with a contractual relationship to a User will be stored for the duration of the contractual relationship itself and of any applicable prescription periods for potential claims by digris AG or as long as statutory or contractual obligations to preserve records apply.
+
+10 What rights do Users have?
+-----------------------------
+
+By law Users have the following rights, in particular:
+
+*   Right to information: Every User is entitiled to obtain from digris AG, at any time and free of cost, information as to what personal information is processed and if such information is disclosed to any foreign country.
+*   Right to correct information: Every User is entitled to demand that any incorrect or incomplete information is corrected or amended as soon as possible.
+*   Right to demand deletion of information: Every User is entitled to demand the deletion of his or her personal information, if such information is not required anymore for the purposes for which it was collected or processed, provided that such deletion is not prohibited by legal rules.
+*   Right to limit processing: In certain cases defined by the applicable law, Users are entitled to demand restrictions to information processing.
+*   Right to object: By law, every User has the right to object to the processing of his or her information.
+*   Right to information transfer: Every User is entitled to demand the transfer of his or her data in a structured, established and machine-readable format.
+
+Users must claim their rights by sending email to digris AG at [[email protected]](mailto:[email protected]) digris AG can demand additional information for identification purposes.
+
+Information is provided by the Licensee free of charge. The Licensee reserves the right to charge an appropriate contribution to administrative costs incurred for giving information, if the User requests more than one copy or if the request is obviously unsubstantiated or excessive. This applies, in particular, if (1) the person making a request was already given the required information in a period of 12 months before the request, and if no interest worth protecting in the provision of new information can be proven; if (2) the provision of information is subject to a particularly high labor input. The contribution is a maximum of 300 Swiss Francs.
+
+11 What security measures are taken for the protection of personal data?
+------------------------------------------------------------------------
+
+digris AG takes the following security measures in order to prevent the loss, misuse or alteration of information and personal data, while observing particularly Art. 9 [VDSG](https://www.admin.ch/opc/de/classified-compilation/19930159/index.html#a9) (Ordinance to the Swiss Data Protection act).
+
+*   Server access control: The Open Broadcast Platform servers are solely operated in secured server rooms and data centers with restricted access.
+*   Data storage medium control: The theft of individual data storage media from secured rooms does not give access to personal information.
+*   Transport control: Data transports are solely conducted for reasons of data security and to ensure system stability. The encryption of these transports complies with Current Best Practice and is constantly updated.
+*   Disclosure control: In compliance with article 3 of this Data Use Policy, no information is provided to third parties by means of data storage media, with the exception of law enforcement agencies with an appropriate court order.
+*   Data storage control: Alongside the concerned person, only Administrators of digris AG subject to a privacy agreement can view, change and delete personal information. Ultimate responsibility lies with Users themselves, who protect their personal information with a password, and mark it as "private, "only for logged-in Users" or "public".
+*   User control: The data processing system of the Open Broadcast Platform is protected by upstream systems (firewalls) that protect Users from unwarranted access. When Users themselves edit their data, the data transfer between User and system is protected from access by unauthorized third parties by means of encryption.
+*   Access control: Access by authorized individuals is limited to the personal information required for the delivery of their task. Solely the Users themselves and the Administrators of digris AG have full access to personal information.
+*   Entry control: In our automated system it is possible to carry out retrospective checks to see which personal information was entered by which individual at which time.
+
+12 Contact
+----------
+
+Feel free to ask any questions on our Data Use Policy at [[email protected]](mailto:[email protected]). We can also be contacted at the following address: digris AG, Data Protection Officer, Lessingstrasse 33, 8002 Zurich
+
+13 Amendments
+-------------
+
+digris AG reserves the right to amend this Data Use Policy at any time. Any amendments are promptly published on the Digris and Open Broadcast website. It is the User’s responsibility to inform themselves of the current version of the Data Use Policy.

core/settings/base.py

@@ -112,6 +112,7 @@
                 "django.template.context_processors.request",
                 "vite.context_processors.vite_proxied",
                 "django.contrib.auth.context_processors.auth",
+                "django.template.context_processors.i18n",
                 "django.contrib.messages.context_processors.messages",
                 "django_settings_export.settings_export",
                 "social_django.context_processors.backends",
@@ -475,6 +476,8 @@
 ##################################################################
 # services
 ##################################################################
+API_BASE_URL = "/api/v1/"
+
 STREAM_ENDPOINTS = {
     "dash": "https://stream-abr.next.openbroadcast.ch/dash/stream.mpd",
     "hls": "https://stream-abr.next.openbroadcast.ch/hls/manifest.m3u8",
@@ -532,6 +535,7 @@
     "DEBUG",
     "SITE_URL",
     "STATIC_URL",
+    "API_BASE_URL",
     "IMAGE_RESIZER_ENDPOINT",
     "STREAM_ENDPOINTS",
     "STREAM_LATENCY",

core/templates/index.html

@@ -1,5 +1,5 @@
 {% load i18n static settings_export_tags share_tags usersnap_tags %}<!doctype html>
-<html lang="{{ LANGUAGE }}">
+<html lang="{{ LANGUAGE_CODE }}">
 <head>
   <title>open broadcast radio</title>
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
@@ -18,19 +18,26 @@
   </style>
   <script>
     document.settings = {% json_settings settings %};
-    document.settings.API_BASE_URL = "{% url 'api:base' %}";
     {% if color %}document.settings.COLOR = {{ color }}{% endif %}
     {% if client_mode %}document.settings.CLIENT_MODE = "{{ client_mode }}"{% endif %}
   </script>
+  <script>
+    window.dataLayer = [];
+  </script>
   {% if settings.GOOGLE_GTM_ID %}<script>
     (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
     new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
     j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
     'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
     })(window,document,'script','dataLayer','{{ settings.GOOGLE_GTM_ID }}');
-  </script>{% else %}<script>
-    window.dataLayer = [];
   </script>{% endif %}
+  {% comment %}{% if settings.GOOGLE_GTM_ID %}<script type="text/plain" data-cookiecategory="analytics">
+    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+    new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+    j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+    'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+    })(window,document,'script','dataLayer','{{ settings.GOOGLE_GTM_ID }}');
+  </script>{% endif %}{% endcomment %}
 </head>
 <body
   id="body"

docker-compose.yml

@@ -56,6 +56,8 @@ services:
       context: ${PWD}
       dockerfile: ${PWD}/compose/core/Dockerfile
     image: obr/core:lateest
+#    ports:
+#      - "7777:8000"
     volumes:
       - ${PWD}/data:/app/data
     environment:

package.json

@@ -50,6 +50,7 @@
     "shaka-player": "4.3.0",
     "shifty": "^2.17.1",
     "showdown": "^2.1.0",
+    "vanilla-cookieconsent": "^2.8.9",
     "vue": "^3.2.31",
     "vue-i18n": "^9.1.9",
     "vue-router": "^4.0.12",

src/App.vue

@@ -5,6 +5,8 @@ import { useWindowSize } from "@vueuse/core";
 import { AppBridge } from "@/app-bridge/appBridge";
 import AuthSidebar from "@/components/account/auth/AuthSidebar.vue";
 import GeoblockNotice from "@/components/geolocation/GeoblockNotice.vue";
+import CookieConsent from "@/components/legal/CookieConsent.vue";
+import LegalLinks from "@/components/legal/LegalLinks.vue";
 import GlobalSearch from "@/components/navigation/GlobalSearch.vue";
 import Navigation from "@/components/navigation/Navigation.vue";
 import SideMenu from "@/components/navigation/SideMenu.vue";
@@ -35,6 +37,8 @@ export default defineComponent({
     GeoblockNotice,
     Player,
     ClaimVoucher,
+    CookieConsent,
+    LegalLinks,
   },
   setup() {
     const { loadUser } = useAccount();
@@ -69,4 +73,6 @@ export default defineComponent({
   <GeoblockNotice />
   <ClaimVoucher />
   <component :is="playerComponent" />
+  <LegalLinks />
+  <CookieConsent />
 </template>

src/api/cms.ts

@@ -3,10 +3,10 @@ import { useAPIBaseUrl } from "@/composables/api";
 
 const { APIBaseUrl } = useAPIBaseUrl();
 
-const PAGE_ENDPOINT = `${APIBaseUrl.value}cms/page`;
+// const PAGE_ENDPOINT = `${APIBaseUrl.value}cms/page`;
 
 async function getPage(path: string) {
-  const url = `${PAGE_ENDPOINT}${path}`;
+  const url = `${APIBaseUrl.value}cms/page${path}`;
   const response = await APIClient.get(url);
   return response.data;
 }