✨ add alert for upcoming privacy change (#4806)

MrKrisKrisu · web-flow · commit 04274ecf19f9 · 2026-05-18T19:18:59.000+02:00
diff --git a/app/Dto/PrivacyPolicyWithAcceptance.php b/app/Dto/PrivacyPolicyWithAcceptance.php
@@ -13,5 +13,7 @@ public function __construct(
         public PrivacyPolicy $policy,
         public ?Carbon $acceptedAt,
         public bool $hasOldAcceptance,
+        public ?PrivacyPolicy $upcomingPolicy = null,
+        public ?Carbon $upcomingAcceptedAt = null,
     ) {}
 }
diff --git a/app/Http/Controllers/API/v1/AlertController.php b/app/Http/Controllers/API/v1/AlertController.php
@@ -6,6 +6,7 @@
 use App\Http\Resources\AlertResource;
 use App\Models\Alert;
 use App\Models\AlertTranslation;
+use App\Services\PrivacyPolicyService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
@@ -17,6 +18,10 @@
 
 class AlertController extends Controller
 {
+    public function __construct(
+        private readonly PrivacyPolicyService $privacyPolicyService,
+    ) {}
+
     #[OA\Get(
         path: '/alerts',
         operationId: 'getAlerts',
@@ -125,6 +130,28 @@ function () use ($userId): bool {
             }
         }
 
+        $upcomingPolicy = $this->privacyPolicyService->getUpcomingPolicy();
+        $user = auth()->user();
+
+        if ($upcomingPolicy !== null && $user !== null && !$this->privacyPolicyService->hasUserAcceptedPolicy($user, $upcomingPolicy)) {
+            $alert = new Alert();
+            $alert->id = 'privacy-policy-upcoming';
+            $alert->type = 'warning';
+            $alert->active_from = now();
+            $alert->active_until = $upcomingPolicy->valid_at;
+
+            $translation = new AlertTranslation();
+            $translation->locale = app()->getLocale();
+            $translation->title = __('privacy.upcoming-alert.title');
+            $translation->content = __('privacy.upcoming-alert.content', [
+                'date' => $upcomingPolicy->valid_at->isoFormat('LL'),
+            ]);
+            $translation->url = url('/gdpr-intercept');
+            $alert->setRelation('translations', collect([$translation]));
+
+            $alerts->prepend($alert);
+        }
+
         return AlertResource::collection($alerts);
     }
 
diff --git a/app/Http/Resources/PrivacyPolicyResource.php b/app/Http/Resources/PrivacyPolicyResource.php
@@ -53,6 +53,19 @@
             type: 'boolean',
             example: false,
         ),
+        new OA\Property(
+            property: 'upcoming',
+            description: 'Next privacy policy that is not yet in effect, if any.',
+            nullable: true,
+            properties: [
+                new OA\Property(property: 'id', type: 'string', format: 'uuid', example: '00000000-0000-0000-0000-000000000000'),
+                new OA\Property(property: 'validFrom', type: 'string', format: 'date-time', example: '2022-01-05T16:26:14.000000Z'),
+                new OA\Property(property: 'en', type: 'string', example: 'This is the english privacy policy'),
+                new OA\Property(property: 'de', type: 'string', example: 'Dies ist die deutsche Datenschutzerklärung'),
+                new OA\Property(property: 'acceptedAt', type: 'string', format: 'date-time', nullable: true, example: null),
+            ],
+            type: 'object',
+        ),
     ],
     type: 'object'
 )]
@@ -73,6 +86,13 @@ public function toArray(Request $request): array
             'de' => $this->policy->body_md_de,
             'acceptedAt' => $this->acceptedAt,
             'hasOldAcceptance' => $this->hasOldAcceptance,
+            'upcoming' => $this->upcomingPolicy !== null ? [
+                'id' => $this->upcomingPolicy->id,
+                'validFrom' => $this->upcomingPolicy->valid_at,
+                'en' => $this->upcomingPolicy->body_md_en,
+                'de' => $this->upcomingPolicy->body_md_de,
+                'acceptedAt' => $this->upcomingAcceptedAt,
+            ] : null,
         ];
     }
 }
diff --git a/app/Repositories/PrivacyPolicyRepository.php b/app/Repositories/PrivacyPolicyRepository.php
@@ -17,6 +17,13 @@ public function getPrivacyPolicyValidAt(CarbonInterface $validAt): PrivacyPolicy
             ->first();
     }
 
+    public function getUpcomingPrivacyPolicy(): ?PrivacyPolicy
+    {
+        return PrivacyPolicy::where('valid_at', '>', now()->toIso8601ZuluString())
+            ->orderBy('valid_at')
+            ->first();
+    }
+
     public function getPrivacyPolicyById(string $id): PrivacyPolicy
     {
         return PrivacyPolicy::whereId($id)->firstOrFail();
diff --git a/app/Services/PrivacyPolicyService.php b/app/Services/PrivacyPolicyService.php
@@ -76,6 +76,11 @@ public function hasUserAcceptedPolicy(User $user, ?PrivacyPolicy $policy = null)
         return false;
     }
 
+    public function getUpcomingPolicy(): ?PrivacyPolicy
+    {
+        return $this->repository->getUpcomingPrivacyPolicy();
+    }
+
     public function getLastAcceptedPolicy(User $user): ?PrivacyPolicyAcceptance
     {
         return $this->repository->getLastAcceptedPolicy($user);
@@ -89,14 +94,21 @@ public function getPolicyWithAcceptanceStatus(?User $user): PrivacyPolicyWithAcc
         $policy = $this->getPrivacyPolicy();
         $acceptedAt = null;
         $hasOldAcceptance = false;
+        $upcomingPolicy = $this->repository->getUpcomingPrivacyPolicy();
+        $upcomingAcceptedAt = null;
 
         if ($user !== null) {
             $allAcceptances = $this->getUserAcceptance($user);
             $ownAcceptance = $allAcceptances->firstWhere('privacy_policy_id', $policy->id);
             $acceptedAt = $ownAcceptance?->accepted_at;
             $hasOldAcceptance = $acceptedAt === null && $allAcceptances->isNotEmpty();
+
+            if ($upcomingPolicy !== null) {
+                $upcomingAcceptance = $allAcceptances->firstWhere('privacy_policy_id', $upcomingPolicy->id);
+                $upcomingAcceptedAt = $upcomingAcceptance?->accepted_at;
+            }
         }
 
-        return new PrivacyPolicyWithAcceptance($policy, $acceptedAt, $hasOldAcceptance);
+        return new PrivacyPolicyWithAcceptance($policy, $acceptedAt, $hasOldAcceptance, $upcomingPolicy, $upcomingAcceptedAt);
     }
 }
diff --git a/lang/de.json b/lang/de.json
@@ -540,11 +540,18 @@
   "passwords.token": "Dieser Link zum Zurücksetzen eines Passwortes ist ungültig.",
   "passwords.user": "Wir können keinen Benutzer mit dieser E-Mail-Adresse finden.",
   "platform": "Gleis",
-  "privacy.not-signed-yet": "<b>Du hast unseren Datenschutzbedingungen noch nicht zugestimmt.</b> Dies wird jedoch benötigt, um Träwelling zu verwenden. Falls Du nicht zustimmen solltest, kannst Du auch an dieser Stelle Deinen Account löschen.",
+  "privacy.upcoming-alert.content": "Ab dem :date gelten neue Datenschutzbedingungen. Du kannst ihnen bereits jetzt zustimmen.",
+  "privacy.upcoming-alert.title": "Neue Datenschutzbedingungen",
+  "privacy.upcoming.public-notice": "Ab dem :date gelten neue Datenschutzbedingungen.",
+  "privacy.upcoming.public-notice-link": "Jetzt ansehen",
+  "privacy.upcoming.section-heading": "Neue Datenschutzbedingungen (gültig ab :date)",
+  "privacy.not-signed-yet.body": "Dies wird jedoch benötigt, um Träwelling zu verwenden. Falls Du nicht zustimmen solltest, kannst Du auch an dieser Stelle Deinen Account löschen.",
+  "privacy.not-signed-yet.title": "Du hast unseren Datenschutzbedingungen noch nicht zugestimmt.",
   "privacy.sign": "Okay",
   "privacy.sign.more": "Akzeptieren & weiter zu Träwelling",
   "privacy.title": "Datenschutz&shy;beding&shy;ungen",
-  "privacy.we-changed": "<b>Wir haben unsere Datenschutzbedingungen geändert.</b> Um diesen Service weiterhin nutzen zu können, musst Du den neuen Bedingungen zustimmen. Falls Du nicht zustimmen solltest, kannst Du auch an dieser Stelle Deinen Account löschen.",
+  "privacy.we-changed.body": "Um diesen Service weiterhin nutzen zu können, musst Du den neuen Bedingungen zustimmen. Falls Du nicht zustimmen solltest, kannst Du auch an dieser Stelle Deinen Account löschen.",
+  "privacy.we-changed.title": "Wir haben unsere Datenschutzbedingungen geändert.",
   "profile.bio": "Bio",
   "profile.bio.description": "Kurze Beschreibung über dich, die auf deinem Profil angezeigt wird.",
   "profile.follow": "Folgen",
diff --git a/lang/en.json b/lang/en.json
@@ -540,11 +540,18 @@
   "passwords.token": "This password reset token is invalid.",
   "passwords.user": "We can't find a user with that e-mail address.",
   "platform": "Platform",
-  "privacy.not-signed-yet": "<b>You have not signed our privacy policy yet.</b> To use Träwelling, you'll need to agree to our privacy policy. If you don't wish to agree, you can delete your account by clicking on the button below.",
+  "privacy.upcoming-alert.content": "A new privacy policy will take effect on :date. You can accept it early.",
+  "privacy.upcoming-alert.title": "New Privacy Policy",
+  "privacy.upcoming.public-notice": "A new privacy policy will take effect on :date.",
+  "privacy.upcoming.public-notice-link": "Preview below",
+  "privacy.upcoming.section-heading": "New Privacy Policy (effective :date)",
+  "privacy.not-signed-yet.body": "To use Träwelling, you'll need to agree to our privacy policy. If you don't wish to agree, you can delete your account by clicking on the button below.",
+  "privacy.not-signed-yet.title": "You have not signed our privacy policy yet.",
   "privacy.sign": "Sign",
   "privacy.sign.more": "Accept & continue to traewelling",
   "privacy.title": "Privacy Policy",
-  "privacy.we-changed": "<b>We changed our privacy policy.</b> To continue using our service, you have to agree to the latest changes. If you don't wish to agree, you can delete your account by clicking on the button below.",
+  "privacy.we-changed.body": "To continue using our service, you have to agree to the latest changes. If you don't wish to agree, you can delete your account by clicking on the button below.",
+  "privacy.we-changed.title": "We changed our privacy policy.",
   "profile.bio": "Bio",
   "profile.bio.description": "A short description about you, shown on your public profile.",
   "profile.follow": "Follow",
diff --git a/lang/fr.json b/lang/fr.json
@@ -506,11 +506,18 @@
   "passwords.token": "Ce lien pour réinitialiser un mot de passe n’est pas valide.",
   "passwords.user": "Nous n’avons pas pu trouver d’utilisateur·rice avec cette adresse e-mail.",
   "platform": "Voie",
-  "privacy.not-signed-yet": "<b>Tu n'as pas encore signé notre politique de confidentialité.</b> Pour utiliser Träwelling, tu dois accepter notre politique de confidentialité. Si tu ne souhaites pas accepter cette politique, tu peux supprimer ton compte en cliquant sur le bouton ci-dessous.",
+  "privacy.upcoming-alert.content": "Une nouvelle politique de confidentialité entrera en vigueur le :date. Tu peux l'accepter dès maintenant.",
+  "privacy.upcoming-alert.title": "Nouvelle politique de confidentialité",
+  "privacy.upcoming.public-notice": "Une nouvelle politique de confidentialité entrera en vigueur le :date.",
+  "privacy.upcoming.public-notice-link": "Voir ci-dessous",
+  "privacy.upcoming.section-heading": "Nouvelle politique de confidentialité (en vigueur le :date)",
+  "privacy.not-signed-yet.body": "Pour utiliser Träwelling, tu dois accepter notre politique de confidentialité. Si tu ne souhaites pas accepter cette politique, tu peux supprimer ton compte en cliquant sur le bouton ci-dessous.",
+  "privacy.not-signed-yet.title": "Tu n'as pas encore signé notre politique de confidentialité.",
   "privacy.sign": "Signer",
   "privacy.sign.more": "Accepter et continuer sur Träwelling",
   "privacy.title": "Politique de confidentialité",
-  "privacy.we-changed": "<b>Nous avons modifié notre politique de confidentialité</b> Pour continuer à utiliser notre service, tu dois accepter les dernières modifications. Si tu ne souhaites pas accepter, tu peux supprimer ton compte en cliquant sur le bouton ci-dessous.",
+  "privacy.we-changed.body": "Pour continuer à utiliser notre service, tu dois accepter les dernières modifications. Si tu ne souhaites pas accepter, tu peux supprimer ton compte en cliquant sur le bouton ci-dessous.",
+  "privacy.we-changed.title": "Nous avons modifié notre politique de confidentialité.",
   "profile.bio": "Biographie",
   "profile.bio.description": "Une courte description sur toi, affichée sur ton profil public.",
   "profile.follow": "S'abonner",
diff --git a/resources/types/Api.gen.ts b/resources/types/Api.gen.ts
@@ -1622,6 +1622,28 @@ export interface PrivacyPolicy {
    * @example false
    */
   hasOldAcceptance: boolean;
+  /** Next privacy policy that is not yet in effect, if any. */
+  upcoming?: {
+    /**
+     * @format uuid
+     * @example "00000000-0000-0000-0000-000000000000"
+     */
+    id?: string;
+    /**
+     * @format date-time
+     * @example "2022-01-05T16:26:14.000000Z"
+     */
+    validFrom?: string;
+    /** @example "This is the english privacy policy" */
+    en?: string;
+    /** @example "Dies ist die deutsche Datenschutzerklärung" */
+    de?: string;
+    /**
+     * @format date-time
+     * @example null
+     */
+    acceptedAt?: string | null;
+  } | null;
 }
 
 /**
diff --git a/resources/vue/components/Privacy/DeleteAccountDialog.vue b/resources/vue/components/Privacy/DeleteAccountDialog.vue
@@ -0,0 +1,111 @@
+<script setup lang="ts">
+import { trans } from 'laravel-vue-i18n';
+import { ref } from 'vue';
+import { Api } from '../../../types/Api.gen';
+
+const props = defineProps<{
+    username: string;
+}>();
+
+const api = new Api({ baseUrl: window.location.origin + '/api/v1' });
+
+const modal = ref<HTMLDialogElement>();
+const deleteStep = ref<1 | 2>(1);
+const confirmation = ref('');
+const loadingDelete = ref(false);
+
+function open() {
+    deleteStep.value = 1;
+    confirmation.value = '';
+    modal.value?.showModal();
+}
+
+function close() {
+    modal.value?.close();
+    confirmation.value = '';
+    deleteStep.value = 1;
+}
+
+async function deleteAccount() {
+    loadingDelete.value = true;
+    try {
+        const response = await api.settings.deleteUserAccount({ confirmation: confirmation.value });
+        if (response.ok) {
+            window.notyf.success(trans('settings.delete-account-completed'));
+            window.location.href = '/';
+        } else {
+            window.notyf.error(trans('settings.something-wrong'));
+            close();
+        }
+    } catch {
+        window.notyf.error(trans('settings.something-wrong'));
+        close();
+    } finally {
+        loadingDelete.value = false;
+    }
+}
+
+defineExpose({ open });
+</script>
+
+<template>
+    <dialog
+        ref="modal"
+        style="z-index: 1100; border: none; border-radius: 0.5rem; padding: 0; max-width: 500px; width: 90%"
+    >
+        <!-- Step 1: Initial warning -->
+        <div v-if="deleteStep === 1" style="padding: 1.5rem">
+            <h5 class="mb-2 fw-bold">{{ trans('settings.delete-account') }}</h5>
+            <p class="text-muted small">{{ trans('settings.delete-account.detail') }}</p>
+            <div class="d-flex justify-content-end gap-2 mt-3">
+                <button type="button" class="btn btn-secondary" @click="close">
+                    {{ trans('menu.abort') }}
+                </button>
+                <button type="button" class="btn btn-danger" @click="deleteStep = 2">
+                    {{ trans('settings.delete-account') }}
+                </button>
+            </div>
+        </div>
+
+        <!-- Step 2: Final confirmation with username -->
+        <div v-else style="padding: 1.5rem; border: 2px solid #dc3545; border-radius: 0.5rem">
+            <h5 class="mb-2 fw-bold text-danger">{{ trans('settings.delete-account') }}</h5>
+            <!-- eslint-disable-next-line vue/no-v-html -->
+            <p class="small" v-html="trans('settings.delete-account-verify', { appname: 'Träwelling' })"></p>
+            <form @submit.prevent="deleteAccount">
+                <div class="mt-3">
+                    <!-- eslint-disable vue/no-v-html -->
+                    <label
+                        class="form-label small"
+                        v-html="trans('messages.account.please-confirm', { delete: props.username })"
+                    ></label>
+                    <!-- eslint-enable vue/no-v-html -->
+                    <input
+                        v-model="confirmation"
+                        type="text"
+                        class="form-control is-invalid"
+                        :placeholder="props.username ?? ''"
+                        autocomplete="off"
+                        required
+                    />
+                </div>
+                <div class="d-flex justify-content-end gap-2 mt-3">
+                    <button type="button" class="btn btn-secondary" @click="deleteStep = 1">
+                        {{ trans('settings.delete-account-btn-back') }}
+                    </button>
+                    <button
+                        class="btn btn-danger"
+                        type="submit"
+                        :disabled="loadingDelete || confirmation !== props.username"
+                    >
+                        {{ trans('settings.delete-account-btn-confirm') }}
+                    </button>
+                </div>
+            </form>
+        </div>
+
+        <form method="dialog" style="display: none">
+            <button>close</button>
+        </form>
+    </dialog>
+</template>
diff --git a/resources/vue/components/Privacy/MarkdownContent.vue b/resources/vue/components/Privacy/MarkdownContent.vue
@@ -0,0 +1,17 @@
+<script setup lang="ts">
+import DOMPurify from 'dompurify';
+import { marked } from 'marked';
+import { computed } from 'vue';
+
+const props = defineProps<{
+    markdown: string;
+}>();
+
+// v-html is intentional: content comes from our own database and is DOMPurify-sanitized.
+const html = computed(() => DOMPurify.sanitize(marked.parse(props.markdown) as string));
+</script>
+
+<template>
+    <!-- eslint-disable-next-line vue/no-v-html -->
+    <div v-html="html" />
+</template>
diff --git a/resources/vue/components/Privacy/PolicyActionButtons.vue b/resources/vue/components/Privacy/PolicyActionButtons.vue
@@ -0,0 +1,23 @@
+<script setup lang="ts">
+import { trans } from 'laravel-vue-i18n';
+
+defineProps<{
+    loadingAccept: boolean;
+}>();
+
+const emit = defineEmits<{
+    accept: [];
+    openDelete: [];
+}>();
+</script>
+
+<template>
+    <div class="d-flex justify-content-between align-items-center">
+        <button type="button" class="btn btn-outline-secondary btn-sm" @click="emit('openDelete')">
+            {{ trans('settings.delete-account.more') }}
+        </button>
+        <button type="button" class="btn btn-success" :disabled="loadingAccept" @click="emit('accept')">
+            {{ trans('privacy.sign.more') }}
+        </button>
+    </div>
+</template>
diff --git a/resources/vue/components/PrivacyIntercept.vue b/resources/vue/components/PrivacyIntercept.vue
diff --git a/resources/vue/helpers/usePrivacyPolicy.ts b/resources/vue/helpers/usePrivacyPolicy.ts
diff --git a/storage/api-docs/api-docs.json b/storage/api-docs/api-docs.json

Original file line number	Diff line number	Diff line change
`@@ -13,5 +13,7 @@ public function __construct(`
`13`	`13`	`public PrivacyPolicy $policy,`
`14`	`14`	`public ?Carbon $acceptedAt,`
`15`	`15`	`public bool $hasOldAcceptance,`
	`16`	`+ public ?PrivacyPolicy $upcomingPolicy = null,`
	`17`	`+ public ?Carbon $upcomingAcceptedAt = null,`
`16`	`18`	`) {}`
`17`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,13 @@ public function getPrivacyPolicyValidAt(CarbonInterface $validAt): PrivacyPolicy`
`17`	`17`	`->first();`
`18`	`18`	`}`
`19`	`19`
	`20`	`+ public function getUpcomingPrivacyPolicy(): ?PrivacyPolicy`
	`21`	`+ {`
	`22`	`+ return PrivacyPolicy::where('valid_at', '>', now()->toIso8601ZuluString())`
	`23`	`+ ->orderBy('valid_at')`
	`24`	`+ ->first();`
	`25`	`+ }`
	`26`	`+`
`20`	`27`	`public function getPrivacyPolicyById(string $id): PrivacyPolicy`
`21`	`28`	`{`
`22`	`29`	`return PrivacyPolicy::whereId($id)->firstOrFail();`