fix(user_api): honor profile visibility preference under COPPA mode#38318
fix(user_api): honor profile visibility preference under COPPA mode#38318kingoftech-v01 wants to merge 1 commit intoopenedx:masterfrom
Conversation
When ENABLE_COPPA_COMPLIANCE is True, the platform deliberately scrubs year_of_birth for every learner at registration. The legacy default of requires_parental_consent() (added in 2015, six years before COPPA mode) treats a missing year_of_birth as "unknown age, assume minor" and get_profile_visibility() therefore forced PRIVATE_VISIBILITY, silently overriding the user's explicit account_privacy preference and leaving only profile_image and username visible to peers. Scope the fix to the visibility call site: when COPPA mode is on, pass default_requires_consent=False so that users whose year_of_birth is None solely because the platform refused to collect it fall through to their chosen privacy preference. Legacy behavior is preserved when COPPA mode is off, and learners with a real year_of_birth below PARENTAL_CONSENT_AGE_LIMIT are still forced to PRIVATE regardless of the flag, so the age-gate for genuine minors is unchanged. Closes openedx#37987
|
Thanks for the pull request, @kingoftech-v01! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Submit a signed contributor agreement (CLA)
If you've signed an agreement in the past, you may need to re-sign. Once you've signed the CLA, please allow 1 business day for it to be processed. 🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
openedx-webhooks
added
the
open-source-contribution
|
CLA signed via DocuSign. Re-triggering the check. Other checklist items:
@openedx/wg-maintenance-openedx-platform — marking ready for engineering review when you have capacity. Thanks! |
3 participants
Withdrawn by author.
I submitted 36 pull requests in a short window and mass-tagged the maintenance working group. That was the wrong way to approach this repository. I apologise to @kdmccormick and to the
@openedx/wg-maintenance-openedx-platformmembers for the notification noise.For the security-related patches, I should have used the private disclosure channel at
security@openedx.orgrather than public pull requests. The original body of this PR included exploit paths and affected line numbers; that content has been removed here to avoid indexing. Any legitimate security finding will be re-reported privately through the proper channel.For the bug-fix patches, I plan to re-engage the community through the correct process: discussing on https://discuss.openedx.org first, then submitting one focused change per PR, and only tagging maintainers when a PR has passed CI and an individual reviewer asks to be involved.
No further action requested on this PR.