[BUG] GDPR compliant spam check

[BrandSven]

In In2code\Powermail\Domain\Validator\SpamShieldValidator, a call to $this->saveSpamFactorInSession(); will trigger the creation of a fe_user_session-cookie once the user submits a form.

This contradicts the statement from the manual chapter "Privacy (GDPR / DSGVO)" which explicitly states that no cookies are set unless you activate the session check spam prevention.

Even if the session check is deactivated (left at the default), the cookie will be set on submitting a form.

Suggested fix: Add a condition in saveSpamFactorInSession() that checks if it is allowed to set a session cookie cause session check is activated. If not allowed, don't store the powermail_spamfactor in the feuser session, but calculate anew for each form submit.

Tested with 7.4.0 in 8.7.27.

[Gregor-Agnes]

Same here, Version 7.3.x on TYPO 8.7.x and 7.4 on TYPO3 9.5.x Setting of cookie is only prevented, if plugin.tx_powermail.settings.setup.spamshield._enable = 0 is set. Even turning of each of the methods does not prevent the setting of the cookie.

That means: In the default state, a cookie is always set after submitting.

[einpraegsam]

plugin.tx_powermail.settings.spamshield.enable=0 in constants will turn it off. But it seems that a functional cookie is set if any spamshield method is active at the moment.

[philippmaurer]

plugin.tx_powermail.settings.spamshield.enable=0 in constants will turn it off. But it seems that a functional cookie is set if any spamshield method is active at the moment.

If you flush the spamshield methods (plugin.tx_powermail.settings.spamshield.methods >) the cookie is still set. So there is no relation to the methods.

Anyways same problem here, Version 7.4.x on TYPO 8.7.x

[KingDumah]

Same here, Version 7.4 on TYPO3 9.5.x.

I found the following Code Source

But plugin.tx_powermail.settings.setup.saveSession._method > did also not work

[mschwemer]

Cannot reproduce it in powermail version 12.