Skip to content

[Bug] Consent banner shows when GDPR Compliance Mode is OFF (regression) #140

New issue
New issue
Closed
Closed
[Bug] Consent banner shows when GDPR Compliance Mode is OFF (regression)#140
Assignees
parhumm
Labels
bugSomething isn't workingvalidated
@parhumm

Description

@parhumm
parhumm
opened on Mar 9, 2026

Bug Report (Re-validated)

Source: WordPress.org support topic

Summary

The SlimStat consent banner renders even when GDPR Compliance Mode is OFF. This is a regression introduced in commit 9f33a29e which changed defaults to enable the banner by default.

Root Cause

The banner rendering pipeline checks use_slimstat_banner but never checks gdpr_enabled:

wp-slimstat.php:243:

$banner_enabled = ('on' === (self::$settings['use_slimstat_banner'] ?? 'off'));

The regression was introduced in commit 9f33a29e (Feb 24, 2026) which changed defaults:

  • use_slimstat_banner: 'off''on'
  • consent_integration: '''slimstat_banner'

Before this change, the banner was off by default, so disabling GDPR worked fine. After, the consent_integration select retains 'slimstat_banner' even when GDPR is toggled off (the form field is CSS-hidden but not disabled, so it still submits). The sync logic at lines 191-192 then keeps use_slimstat_banner = 'on'.

Code Trace

  1. Defaults (wp-slimstat.php:816-817): consent_integration = 'slimstat_banner', use_slimstat_banner = 'on'
  2. Admin save (admin/config/index.php:928-932): sync logic sets use_slimstat_banner = 'on' when consent_integration === 'slimstat_banner' — regardless of gdpr_enabled
  3. Init (wp-slimstat.php:191-192): same sync, no gdpr_enabled check
  4. Banner render (wp-slimstat.php:243): only checks use_slimstat_banner, not gdpr_enabled
  5. Meanwhile Consent::canTrack() (src/Utils/Consent.php:155-158) correctly returns true without consent checks when GDPR is OFF

Result: Tracking works without consent (correct), but banner still appears (incorrect — asks for consent that has no effect).

Steps to Reproduce

  1. Go to SlimStat Settings → Tracker tab
  2. Set GDPR Compliance Mode to OFF
  3. Save settings
  4. Visit the frontend as a logged-out visitor
  5. Expected: No SlimStat consent banner
  6. Actual: SlimStat consent banner appears

Proposed Fix

Gate banner rendering on gdpr_enabled at wp-slimstat.php:243:

$banner_enabled = ('on' === (self::$settings['gdpr_enabled'] ?? 'on'))
    && ('on' === (self::$settings['use_slimstat_banner'] ?? 'off'));

Code References

File Lines Description
wp-slimstat.php 243 Banner enabled check — missing gdpr_enabled gate
wp-slimstat.php 191-192 Sync logic sets banner on without GDPR check
wp-slimstat.php 816-817 Defaults changed in 9f33a29e (regression source)
admin/config/index.php 928-932 Save sync logic, same issue
src/Utils/Consent.php 155-158 canTrack() correctly skips consent when GDPR OFF
admin/assets/js/admin.js 222 Conditional fields use .hide() only, not disabled

Regression Commit

9f33a29e — "Improve GDPR consent logic to require consent integration when enabled" (Feb 24, 2026)

Validated via qa-issue-validate skill (jaan.to plugin)

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingvalidated

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions