- Full IP address sent by replying to contact mail
- Trying to find actionable info about GDPR...
#1 Jan 08, 2018 10:11
When a Person (anonym) responds to a comment by Private Message (in case the commenter activated this feature) the commenter gets an e-Mail with the message, but also with information about the author of that Private Message, which should not be delivered this way: IP address and plain e-Mail address. Both information are [b]not compliant to GDPR[/b], because the author of the PM was never asked to agree. (see fig.)
I would recommend to suppress this information an only send the link to the comment.
(BTW the link to the comment b2e actually delivers [b]does not work![/b] - see violet marks)
PS: Strictly said, full IP address protocols are not allowed in case this allows identification of a person. They should be anonymized. But I appreciate that and need this to stop spammers and trolls. In this case I would suggest to show IP addresses only to Admins level 10 and not to document this ;-)
Here is the fig to the problem mentioned above:
#3 Mar 16, 2018 23:28
Does a variable exist that also includes the name of an anonymus user, filled out in comments?
But also registered user names?
Because via sending a message (see above) the mail salutation show a variable
An anonymous commenter does not have "username" therefore the variable remains.
See skins_email_email_header.inc.html.php, Line 64
<p<?php echo emailskin_style( '.p' ); ?>><?php echo T_( 'Hello $username$!' ); ?></p>
and skins_email_email_header.inc.txt.php, Line 21
echo T_( 'Hello $username$!' )."\n\n";
Could this problem be solved in a way the message form (Contact) masters (see screenshot above (2), where the anonymous commenter is echoed correctly?
#4 Apr 04, 2018 14:18
Hello, someone out there in the b2e universe? I would appreciate any reply or feedback, just for self-ensuring someone recognized this ticket.
#5 Apr 05, 2018 23:04
The IP address is being replaced with the session ID in all emails. Only admins will be able to lookup the session and possibly find the matching IP.
Regarding the contact form, we will add a note that says the existing "Your email address will not be published on this site" and add "BUT it will be sent to the person you are contacting, otherwise they would not be able to reply to you."
'Hello $username$!' has already been fixed in the develop branch but we will check.
The broken link in the email needs to be fixed indeed.
#6 Apr 09, 2018 14:07
Hi @saunders. As Francois mentioned above, the IP address will be replaced with the session ID in all emails. You can apply this using the following commit: https://github.com/b2evolution/b2evolution/commit/7847c5f3a62a89c8f3d87727b63cd7f5e2ee57ec
The broken link in the contact message notification email is fixed in commit https://github.com/b2evolution/b2evolution/commit/a0161fa71708a584be0fb36febb1f1eb16494435. The patch also changes the email field note to notify users that their email will be sent to the person they are replying to.
I can confirm that the
$username$ variable has already been fixed in the develop branch and is replaced with
$name$ for anonymous users.
#7 Apr 10, 2018 13:41
#8 May 31, 2018 13:58
Released in http://b2evolution.net/downloads/6-10-1