Add PII self-management: legal policies, user consent, data export, and account self-deletion

Implements GDPR-compliant features for user data management (#727): publicly accessible Terms of Service and Privacy Policy pages with per-language support and admin editor, a captive consent flow that requires users to accept policies before accessing the application (only when user registration is enabled), XML data export of user profile and associated data, and account self-deletion with sole-administrator protection.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: nikosdion

ViewTemplates/Login/default.blade.php

@@ -99,6 +99,16 @@ class="btn btn-link text-decoration-none p-0 text-start"
             </div>
         </div>
 
+        <div class="mt-3 text-center small">
+            <a href="@route('index.php?view=policies&task=tos')" class="text-decoration-none" target="_blank">
+                @lang('PANOPTICON_POLICIES_TITLE_TOS')
+            </a>
+            <span class="text-muted mx-1">|</span>
+            <a href="@route('index.php?view=policies&task=privacy')" class="text-decoration-none" target="_blank">
+                @lang('PANOPTICON_POLICIES_TITLE_PRIVACY')
+            </a>
+        </div>
+
         <input type="hidden" name="token" value="@token()">
         <input type="hidden" name="return"
                value="<?= empty($this->returnUrl) ? '' : base64_encode($this->returnUrl) ?>">

ViewTemplates/Policies/default.blade.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * @package   panopticon
+ * @copyright Copyright (c)2023-2026 Nicholas K. Dionysopoulos / Akeeba Ltd
+ * @license   https://www.gnu.org/licenses/agpl-3.0.txt GNU Affero General Public License, version 3 or later
+ */
+
+defined('AKEEBA') || die;
+
+/** @var \Akeeba\Panopticon\View\Policies\Html $this */
+
+?>
+
+<div class="container my-4">
+    <div class="card">
+        <div class="card-header">
+            <h3 class="card-title m-0">
+                <span class="fa fa-file-contract me-2" aria-hidden="true"></span>
+                @lang('PANOPTICON_POLICIES_TITLE_TOS')
+            </h3>
+        </div>
+        <div class="card-body">
+            {!! $this->policyContent !!}
+        </div>
+    </div>
+
+    <p class="mt-3 text-center">
+        <a href="javascript:history.back()" class="btn btn-outline-secondary">
+            <span class="fa fa-arrow-left me-1" aria-hidden="true"></span>
+            @lang('PANOPTICON_BTN_PREV')
+        </a>
+    </p>
+</div>

ViewTemplates/Policies/edit.blade.php

@@ -0,0 +1,102 @@
+<?php
+/**
+ * @package   panopticon
+ * @copyright Copyright (c)2023-2026 Nicholas K. Dionysopoulos / Akeeba Ltd
+ * @license   https://www.gnu.org/licenses/agpl-3.0.txt GNU Affero General Public License, version 3 or later
+ */
+
+defined('AKEEBA') || die;
+
+/** @var \Akeeba\Panopticon\View\Policies\Html $this */
+
+$token = $this->container->session->getCsrfToken()->getValue();
+
+?>
+
+<form action="@route('index.php?view=policies&task=save')" method="post"
+      name="adminForm" id="adminForm" class="py-3"
+>
+
+    <div class="row mb-3">
+        <label for="type" class="col-sm-3 col-form-label">
+            @lang('PANOPTICON_POLICIES_LBL_TYPE')
+        </label>
+        <div class="col-sm-9">
+            <select name="type" id="type" class="form-select"
+                    onchange="document.location='@route('index.php?view=policies&task=edit')' + '&type=' + this.value + '&language=' + document.getElementById('language').value">
+                <option value="tos" {{ $this->policyType === 'tos' ? 'selected' : '' }}>
+                    @lang('PANOPTICON_POLICIES_TITLE_TOS')
+                </option>
+                <option value="privacy" {{ $this->policyType === 'privacy' ? 'selected' : '' }}>
+                    @lang('PANOPTICON_POLICIES_TITLE_PRIVACY')
+                </option>
+            </select>
+        </div>
+    </div>
+
+    <div class="row mb-3">
+        <label for="language" class="col-sm-3 col-form-label">
+            @lang('PANOPTICON_POLICIES_LBL_LANGUAGE')
+        </label>
+        <div class="col-sm-9">
+            {{ $this->getContainer()->helper->setup->languageOptions(
+                    $this->policyLanguage,
+                    name: 'language',
+                    id: 'language',
+                    attribs: [
+                        'class' => 'form-select',
+                        'onchange' => "document.location='" . $this->container->router->route('index.php?view=policies&task=edit') . "&type=" . $this->policyType . "&language=' + this.value",
+                    ],
+                ) }}
+        </div>
+    </div>
+
+    <div class="row mb-3">
+        <label for="content" class="col-sm-3 col-form-label">
+            @lang('PANOPTICON_POLICIES_LBL_CONTENT')
+        </label>
+        <div class="col-sm-9">
+            {{ \Akeeba\Panopticon\Library\Editor\TinyMCE::editor(
+                'content',
+                $this->policyContent,
+                [
+                    'id' => 'content',
+                    'relative_urls' => true,
+                ]
+            ) }}
+        </div>
+    </div>
+
+    <div class="row mb-3">
+        <div class="col-sm-9 offset-sm-3">
+            <div class="d-flex flex-row gap-2">
+                <button type="submit" class="btn btn-primary">
+                    <span class="fa fa-save me-1" aria-hidden="true"></span>
+                    @lang('PANOPTICON_BTN_SAVE')
+                </button>
+                <a href="@route('index.php?view=sysconfig')" class="btn btn-outline-secondary">
+                    <span class="fa fa-xmark me-1" aria-hidden="true"></span>
+                    @lang('PANOPTICON_BTN_CANCEL')
+                </a>
+            </div>
+        </div>
+    </div>
+
+    <div class="row mb-3">
+        <div class="col-sm-9 offset-sm-3">
+            <div class="d-flex flex-row gap-2">
+                <a href="@route('index.php?view=policies&task=tos')" class="btn btn-outline-info btn-sm" target="_blank">
+                    <span class="fa fa-eye me-1" aria-hidden="true"></span>
+                    @lang('PANOPTICON_POLICIES_LBL_PREVIEW_TOS')
+                </a>
+                <a href="@route('index.php?view=policies&task=privacy')" class="btn btn-outline-info btn-sm" target="_blank">
+                    <span class="fa fa-eye me-1" aria-hidden="true"></span>
+                    @lang('PANOPTICON_POLICIES_LBL_PREVIEW_PRIVACY')
+                </a>
+            </div>
+        </div>
+    </div>
+
+    <input type="hidden" name="@token(true)" value="1">
+
+</form>

ViewTemplates/Policies/privacy.blade.php

@@ -0,0 +1,33 @@
+<?php
+/**
+ * @package   panopticon
+ * @copyright Copyright (c)2023-2026 Nicholas K. Dionysopoulos / Akeeba Ltd
+ * @license   https://www.gnu.org/licenses/agpl-3.0.txt GNU Affero General Public License, version 3 or later
+ */
+
+defined('AKEEBA') || die;
+
+/** @var \Akeeba\Panopticon\View\Policies\Html $this */
+
+?>
+
+<div class="container my-4">
+    <div class="card">
+        <div class="card-header">
+            <h3 class="card-title m-0">
+                <span class="fa fa-shield-halved me-2" aria-hidden="true"></span>
+                @lang('PANOPTICON_POLICIES_TITLE_PRIVACY')
+            </h3>
+        </div>
+        <div class="card-body">
+            {!! $this->policyContent !!}
+        </div>
+    </div>
+
+    <p class="mt-3 text-center">
+        <a href="javascript:history.back()" class="btn btn-outline-secondary">
+            <span class="fa fa-arrow-left me-1" aria-hidden="true"></span>
+            @lang('PANOPTICON_BTN_PREV')
+        </a>
+    </p>
+</div>

ViewTemplates/Userconsent/default.blade.php

@@ -0,0 +1,160 @@
+<?php
+/**
+ * @package   panopticon
+ * @copyright Copyright (c)2023-2026 Nicholas K. Dionysopoulos / Akeeba Ltd
+ * @license   https://www.gnu.org/licenses/agpl-3.0.txt GNU Affero General Public License, version 3 or later
+ */
+
+defined('AKEEBA') || die;
+
+/** @var \Akeeba\Panopticon\View\Userconsent\Html $this */
+
+$token = $this->container->session->getCsrfToken()->getValue();
+
+?>
+
+<div class="container my-4">
+    {{-- Header --}}
+    <div class="alert alert-info">
+        <h4 class="alert-heading">
+            <span class="fa fa-handshake me-2" aria-hidden="true"></span>
+            @lang('PANOPTICON_USERCONSENT_HEAD_REQUIRED')
+        </h4>
+        <p class="mb-0">
+            @lang('PANOPTICON_USERCONSENT_LBL_EXPLANATION')
+        </p>
+    </div>
+
+    {{-- Terms of Service --}}
+    <div class="accordion mb-3" id="policyAccordion">
+        <div class="accordion-item">
+            <h2 class="accordion-header" id="headingTos">
+                <button class="accordion-button collapsed" type="button"
+                        data-bs-toggle="collapse" data-bs-target="#collapseTos"
+                        aria-expanded="false" aria-controls="collapseTos">
+                    <span class="fa fa-file-contract me-2" aria-hidden="true"></span>
+                    @lang('PANOPTICON_POLICIES_TITLE_TOS')
+                </button>
+            </h2>
+            <div id="collapseTos" class="accordion-collapse collapse" aria-labelledby="headingTos"
+                 data-bs-parent="#policyAccordion">
+                <div class="accordion-body" style="max-height: 400px; overflow-y: auto;">
+                    {!! $this->tosContent !!}
+                </div>
+                <div class="accordion-footer p-2 text-end border-top">
+                    <a href="@route('index.php?view=policies&task=tos')" target="_blank" class="btn btn-sm btn-outline-secondary">
+                        <span class="fa fa-external-link me-1" aria-hidden="true"></span>
+                        @lang('PANOPTICON_USERCONSENT_LBL_VIEW_FULL')
+                    </a>
+                </div>
+            </div>
+        </div>
+
+        <div class="accordion-item">
+            <h2 class="accordion-header" id="headingPrivacy">
+                <button class="accordion-button collapsed" type="button"
+                        data-bs-toggle="collapse" data-bs-target="#collapsePrivacy"
+                        aria-expanded="false" aria-controls="collapsePrivacy">
+                    <span class="fa fa-shield-halved me-2" aria-hidden="true"></span>
+                    @lang('PANOPTICON_POLICIES_TITLE_PRIVACY')
+                </button>
+            </h2>
+            <div id="collapsePrivacy" class="accordion-collapse collapse" aria-labelledby="headingPrivacy"
+                 data-bs-parent="#policyAccordion">
+                <div class="accordion-body" style="max-height: 400px; overflow-y: auto;">
+                    {!! $this->privacyContent !!}
+                </div>
+                <div class="accordion-footer p-2 text-end border-top">
+                    <a href="@route('index.php?view=policies&task=privacy')" target="_blank" class="btn btn-sm btn-outline-secondary">
+                        <span class="fa fa-external-link me-1" aria-hidden="true"></span>
+                        @lang('PANOPTICON_USERCONSENT_LBL_VIEW_FULL')
+                    </a>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    {{-- Consent Buttons --}}
+    <div class="card mb-3">
+        <div class="card-body text-center">
+            <p class="mb-3">
+                @lang('PANOPTICON_USERCONSENT_LBL_AGREE_PROMPT')
+            </p>
+            <div class="d-flex flex-row gap-3 justify-content-center">
+                <form action="@route('index.php?view=userconsent&task=agree')" method="post" class="d-inline">
+                    <input type="hidden" name="{{ $token }}" value="1">
+                    <button type="submit" class="btn btn-primary btn-lg">
+                        <span class="fa fa-check me-1" aria-hidden="true"></span>
+                        @lang('PANOPTICON_USERCONSENT_BTN_AGREE')
+                    </button>
+                </form>
+                <a href="@route('index.php?view=userconsent&task=decline')" class="btn btn-outline-secondary btn-lg">
+                    <span class="fa fa-xmark me-1" aria-hidden="true"></span>
+                    @lang('PANOPTICON_USERCONSENT_BTN_DECLINE')
+                </a>
+            </div>
+        </div>
+    </div>
+
+    {{-- Data Export --}}
+    <div class="card mb-3">
+        <div class="card-header">
+            <h5 class="card-title m-0">
+                <span class="fa fa-download me-2" aria-hidden="true"></span>
+                @lang('PANOPTICON_USERCONSENT_HEAD_EXPORT')
+            </h5>
+        </div>
+        <div class="card-body">
+            <p>
+                @lang('PANOPTICON_USERCONSENT_LBL_EXPORT_DESC')
+            </p>
+            <a href="@route('index.php?view=userconsent&task=export')" class="btn btn-outline-primary">
+                <span class="fa fa-file-export me-1" aria-hidden="true"></span>
+                @lang('PANOPTICON_USERCONSENT_BTN_EXPORT')
+            </a>
+        </div>
+    </div>
+
+    {{-- Account Deletion --}}
+    <div class="card mb-3 border-danger">
+        <div class="card-header bg-danger text-white">
+            <h5 class="card-title m-0">
+                <span class="fa fa-triangle-exclamation me-2" aria-hidden="true"></span>
+                @lang('PANOPTICON_USERCONSENT_HEAD_DELETE')
+            </h5>
+        </div>
+        <div class="card-body">
+            <div class="alert alert-warning">
+                <span class="fa fa-exclamation-circle me-1" aria-hidden="true"></span>
+                @lang('PANOPTICON_USERCONSENT_LBL_DELETE_WARNING')
+            </div>
+
+            @if (!$this->canSelfDelete)
+                <div class="alert alert-danger">
+                    <span class="fa fa-ban me-1" aria-hidden="true"></span>
+                    @lang('PANOPTICON_USERCONSENT_LBL_DELETE_SOLE_ADMIN')
+                </div>
+            @else
+                <form action="@route('index.php?view=userconsent&task=deleteaccount')" method="post"
+                      onsubmit="return confirm('{{{ $this->getLanguage()->text('PANOPTICON_USERCONSENT_LBL_DELETE_CONFIRM') }}}')">
+                    <input type="hidden" name="{{ $token }}" value="1">
+
+                    <div class="mb-3">
+                        <label for="confirm_username" class="form-label">
+                            @lang('PANOPTICON_USERCONSENT_LBL_DELETE_TYPE_USERNAME')
+                        </label>
+                        <input type="text" name="confirm_username" id="confirm_username"
+                               class="form-control" required
+                               autocomplete="off"
+                               placeholder="{{{ $this->username }}}">
+                    </div>
+
+                    <button type="submit" class="btn btn-danger">
+                        <span class="fa fa-trash me-1" aria-hidden="true"></span>
+                        @lang('PANOPTICON_USERCONSENT_BTN_DELETE')
+                    </button>
+                </form>
+            @endif
+        </div>
+    </div>
+</div>

languages/en-GB.ini

@@ -2312,6 +2312,41 @@ PANOPTICON_PASSKEYS_ERR_AJAX_INVALIDACTION="Invalid ajax action"
 PANOPTICON_PASSKEYS_ERR_XHR_INITCREATE="Cannot get the passkey registration information from your site."
 PANOPTICON_PASSKEYS_BTN_LOGIN="Passkey login"
 
+[Policies]
+PANOPTICON_POLICIES_TITLE="Legal Policies"
+PANOPTICON_POLICIES_TITLE_TOS="Terms of Service"
+PANOPTICON_POLICIES_TITLE_PRIVACY="Privacy Policy"
+PANOPTICON_POLICIES_TITLE_EDIT="Edit Legal Policies"
+PANOPTICON_POLICIES_LBL_TYPE="Policy Type"
+PANOPTICON_POLICIES_LBL_LANGUAGE="Language"
+PANOPTICON_POLICIES_LBL_CONTENT="Content"
+PANOPTICON_POLICIES_LBL_PREVIEW_TOS="Preview Terms of Service"
+PANOPTICON_POLICIES_LBL_PREVIEW_PRIVACY="Preview Privacy Policy"
+PANOPTICON_POLICIES_MSG_SAVED="The policy has been saved."
+
+[User Consent]
+PANOPTICON_USERCONSENT_TITLE="Terms and Conditions"
+PANOPTICON_USERCONSENT_HEAD_REQUIRED="Your Consent is Required"
+PANOPTICON_USERCONSENT_LBL_EXPLANATION="Before you can use this service, you must review and agree to our Terms of Service and Privacy Policy. You can also export your personal data or delete your account from this page."
+PANOPTICON_USERCONSENT_LBL_VIEW_FULL="View full page"
+PANOPTICON_USERCONSENT_LBL_AGREE_PROMPT="By clicking “I Agree”, you confirm that you have read and agree to the Terms of Service and Privacy Policy."
+PANOPTICON_USERCONSENT_BTN_AGREE="I Agree"
+PANOPTICON_USERCONSENT_BTN_DECLINE="I Decline (Log Out)"
+PANOPTICON_USERCONSENT_MSG_AGREED="Thank you for accepting the Terms of Service. You can now use the application."
+PANOPTICON_USERCONSENT_MSG_DECLINED="You have declined the Terms of Service and have been logged out."
+PANOPTICON_USERCONSENT_HEAD_EXPORT="Export Your Data"
+PANOPTICON_USERCONSENT_LBL_EXPORT_DESC="Download a copy of all personal data we hold about you, in XML format. This includes your profile information, owned sites, MFA methods, and passkey labels."
+PANOPTICON_USERCONSENT_BTN_EXPORT="Download My Data"
+PANOPTICON_USERCONSENT_HEAD_DELETE="Permanently Delete My Account"
+PANOPTICON_USERCONSENT_LBL_DELETE_WARNING="Deleting your account is permanent and cannot be undone. All your data, including sites you own, will be permanently removed."
+PANOPTICON_USERCONSENT_LBL_DELETE_SOLE_ADMIN="You are the only administrator account. You cannot delete your own account as this would leave the system without an administrator."
+PANOPTICON_USERCONSENT_LBL_DELETE_TYPE_USERNAME="To confirm, type your username below:"
+PANOPTICON_USERCONSENT_LBL_DELETE_CONFIRM="Are you absolutely sure you want to permanently delete your account? This action CANNOT be undone."
+PANOPTICON_USERCONSENT_BTN_DELETE="Permanently Delete My Account"
+PANOPTICON_USERCONSENT_ERR_USERNAME_MISMATCH="The username you entered does not match your account username. Account deletion was cancelled."
+PANOPTICON_USERCONSENT_ERR_CANNOT_SELF_DELETE="You cannot delete your account. You may be the only administrator."
+PANOPTICON_USERCONSENT_MSG_ACCOUNT_DELETED="Your account has been permanently deleted."
+
 [System Errors]
 PANOPTICON_SYSERROR_FORBIDDEN_TITLE="Access Denied"
 PANOPTICON_SYSERROR_FORBIDDEN_HEAD="Access Denied"