User Consent - akeeba/panopticon GitHub Wiki

User Consent

When user registration is enabled, Panopticon requires all users to explicitly consent to the Terms of Service and Privacy Policy before they can access the application. This helps comply with GDPR and similar data protection regulations.

How the Consent Flow Works

  1. User logs in with their credentials (and completes MFA if required).
  2. Panopticon checks if the user has previously consented (stored as consent.tos in their user parameters).
  3. If consent is missing, the user is redirected to the consent page (index.php?view=userconsent). The main navigation menu is disabled during this captive flow.
  4. On the consent page, the user can:
    • Review the Terms of Service and Privacy Policy (displayed in expandable accordion sections)
    • Open the full policy pages in a new tab
    • Click "I Agree" to record their consent and proceed to the application
    • Click "I Decline (Log Out)" to be logged out immediately
    • Export their personal data (see PII Self-Management)
    • Delete their account (see PII Self-Management)
  5. Once consent is given, the timestamp is recorded and the user is not prompted again on future logins.

When Consent is Required

The consent flow is only active when user registration is enabled (i.e., the user_registration configuration setting is set to admin or self). When user registration is disabled, the consent flow is skipped entirely.

Upgrade Behaviour

When upgrading an existing Panopticon installation:

  • Existing users who have never consented will be prompted on their next login (if user registration is enabled).
  • The initial admin account created during setup automatically receives consent, as the administrator implicitly accepts the terms by setting up the application.
  • Users can access the ToS and Privacy Policy pages without logging in, so they can review the policies before deciding whether to register or consent.

Allowed Views During Consent

While the consent flow is active, the user can still access these views without being redirected:

  • userconsent (the consent page itself)
  • policies (public ToS/Privacy Policy pages)
  • login / logout
  • cron / check
  • setup
  • passkeys / captive / mfamethods
  • users (only for pwreset, confirmreset, register, activate tasks)

Technical Details

  • Consent is stored in user parameters as consent.tos (boolean) and consent.timestamp (Unix timestamp).
  • The consent check runs in Application::conditionalRedirectToConsent(), which executes after MFA verification but before other captive setup redirects (CRON setup, passkey setup).
  • The userconsent view requires any logged-in user (* ACL privilege) and is included in the MFA allowed views list.