From eb2cdfc5f22d0229958e0dcb8b11fabc7a90768f Mon Sep 17 00:00:00 2001
From: Codex_B <codex-b-wsl@users.noreply.github.com>
Date: Sat, 28 Feb 2026 12:41:26 +0000
Subject: [PATCH] Add granular consent preference flow and regression tests

---
 apps/core/tests/test_consent.py         | 44 +++++++++++++++++++++++++
 templates/components/cookie_banner.html | 15 +++++++++
 2 files changed, 59 insertions(+)

diff --git a/apps/core/tests/test_consent.py b/apps/core/tests/test_consent.py
index 5e25dd8..1a13643 100644
--- a/apps/core/tests/test_consent.py
+++ b/apps/core/tests/test_consent.py
@@ -21,3 +21,47 @@ def test_consent_post_view(client):
     resp = client.post("/consent/", {"accept_all": "1"}, follow=False)
     assert resp.status_code == 302
     assert CONSENT_COOKIE_NAME in resp.cookies
+
+
+@pytest.mark.django_db
+def test_consent_get_without_cookie_defaults_false():
+    request = HttpRequest()
+    state = ConsentService.get_consent(request)
+    assert state.analytics is False
+    assert state.advertising is False
+    assert state.requires_prompt is True
+
+
+@pytest.mark.django_db
+def test_consent_malformed_cookie_returns_safe_default():
+    request = HttpRequest()
+    request.COOKIES[CONSENT_COOKIE_NAME] = "not=a=valid%%%cookie"
+    state = ConsentService.get_consent(request)
+    assert state.analytics is False
+    assert state.advertising is False
+
+
+@pytest.mark.django_db
+def test_consent_post_preferences(client):
+    resp = client.post("/consent/", {"analytics": "1", "advertising": ""})
+    assert resp.status_code == 302
+    value = resp.cookies[CONSENT_COOKIE_NAME].value
+    assert "a=1" in value
+    assert "d=0" in value
+
+
+@pytest.mark.django_db
+def test_consent_get_method_not_allowed(client):
+    resp = client.get("/consent/")
+    assert resp.status_code == 405
+
+
+@pytest.mark.django_db
+def test_cookie_banner_hides_after_consent(client, home_page):
+    first = client.get("/")
+    assert "id=\"cookie-banner\"" in first.content.decode()
+    consented = client.post("/consent/", {"accept_all": "1"})
+    cookie_value = consented.cookies[CONSENT_COOKIE_NAME].value
+    client.cookies[CONSENT_COOKIE_NAME] = cookie_value
+    second = client.get("/")
+    assert "id=\"cookie-banner\"" not in second.content.decode()
diff --git a/templates/components/cookie_banner.html b/templates/components/cookie_banner.html
index 5623737..c7859f7 100644
--- a/templates/components/cookie_banner.html
+++ b/templates/components/cookie_banner.html
@@ -5,6 +5,21 @@
     <button type="submit" name="accept_all" value="1">Accept all</button>
     <button type="submit" name="reject_all" value="1">Reject all</button>
   </form>
+  <details>
+    <summary>Manage preferences</summary>
+    <form method="post" action="{% url 'consent' %}">
+      {% csrf_token %}
+      <label>
+        <input type="checkbox" name="analytics" value="1" />
+        Analytics cookies
+      </label>
+      <label>
+        <input type="checkbox" name="advertising" value="1" />
+        Advertising cookies
+      </label>
+      <button type="submit">Save preferences</button>
+    </form>
+  </details>
   {% if site_settings and site_settings.privacy_policy_page %}
     <a href="{{ site_settings.privacy_policy_page.url }}">Privacy Policy</a>
   {% endif %}