[Koha] GDPR Policy, Pages feature, and 22.05 vs. 22.11

[David Liddle]

Greetings all!

Our consortium, which has libraries and patrons subject to the EU's
GDPR, has published a new privacy policy that was created and tested
with the new Pages feature in Koha 22.11 (on our development server)
and then copied to the old Pages/CMS modification in Koha 22.05 (on
our production server). On each:

- The system preference "PrivacyPolicyURL" was set to the full URL for
a page hosted by the same server, "opac-page.pl?page_id=xx" (22.11) or
"...pages.pl?p=privacy_full" (22.05).
- The system preference "GDPR_Policy" was set to "enforced".

We observed something interesting:
- On 22.11, the consent page and policy link worked as intended. A
patron who had not yet consented to the policy was presented with the
consent page, and clicking the policy link opened the policy page in a
new tab.
- On 22.05, the consent page and policy link did NOT work as intended.
The patron was presented with the consent page as expected, but the
policy link opened a new tab that loaded the consent page again.

After reviewing the situation for a while, I formed the following hypotheses:
- Koha 22.11 is NOT actually behaving as designed, because having
GDPR_Policy set to "enforced" should cause access to all content
served by Koha to be blocked until the patron has consented to the
privacy policy. However, access to content served by the new Pages
function is NOT blocked.
- Koha 22.05 is actually behaving as designed, because access to all
content served by Koha is indeed being blocked.

The "workaround" for Koha 22.05 is straightforward:
- I copied the HTML content of the relevant page, formatting included,
to an HTML file served directly by Apache and not by its Koha
processes, which means that it is not subject to blocking.
- Any other location not served through Koha should also work.

Questions and Thoughts:
- Can folks out there in the Koha community confirm the respective
behavior in Koha 22.05 and Koha 22.11?
- Can someone among the development crew clarify the designed behavior
and state whether or not a bug exists?
- The advantage of creating the privacy policy in the new Pages
feature is that it allows for translations, which is somewhat
important to our multilingual consortium.
- Given the above, could an exception to blocking due to the
enforcement of GDPR_Policy be created for a page that would be marked
somehow as being associated with the policy?

Thank you all for reading, and special thanks in advance to those who
give input!

Regards,

David Liddle
System Administrator
david.liddle at wycliff.de (but not for this list)

Wycliff e.V., https://wycliff.de
Seminar für Sprache und Kultur, https://spracheundkultur.org
Internationales Tagungszentrum Karimu, https://karimu.de