Users must accept ToS or community guidelines before posting UGC

ab-000502 · app-store-review-blockers.content-moderation.tos-acceptance-before-posting

Severity: lowactive

Why it matters

Apple's guideline 1.2 requires UGC platforms to have users agree to community guidelines — implicit agreement through account creation is not sufficient. Failing to record and enforce terms acceptance means you have no legal standing when content violations occur and no proof that users were informed of the rules before posting. Beyond Apple's requirement, tos_accepted_at on the user record is the timestamp your legal team needs if a content dispute escalates. The gating must be server-side: a UI checkbox alone can be bypassed, and direct API calls from determined users would bypass it entirely.

Severity rationale

Low because this is a compliance hygiene issue that primarily affects legal standing and guidelines conformance rather than causing direct harm on its own.

Remediation

Gate UGC creation behind recorded terms acceptance — both in the UI and in the API.

// src/app/api/posts/route.ts
const user = await getUser(req);
if (!user.tos_accepted_at) {
  return Response.json({ error: 'Must accept community guidelines before posting' }, { status: 403 });
}

Add a tos_accepted_at timestamptz column to your users table. In the onboarding flow, show the Community Guidelines with an explicit "I agree" tap — not a pre-checked checkbox. Link to the full guidelines text. Record acceptance server-side so the check works even if users call the API directly.

Detection

ID: tos-acceptance-before-posting
Severity: low
What to look for: Count all relevant instances and enumerate each. Look for a ToS/Community Guidelines acceptance flow in the onboarding or account creation screens. Search for termsAccepted, agreedToTerms, tos_accepted_at, community_guidelines_accepted in state, database schema, or user profile objects. Check if the posting flow is gated behind ToS acceptance (i.e., users cannot post without having agreed). Look for a checkbox, "I agree" button, or modal that appears before the first post.
Pass criteria: Users must explicitly agree to ToS and/or Community Guidelines (by tapping a checkbox or button) before they can post UGC. At least 1 implementation must be verified. This acceptance is recorded.
Fail criteria: Users can post UGC without ever having agreed to community guidelines or ToS — agreement is implicit or missing.
Skip (N/A) when: App has no user-generated content.
Detail on fail: "Users can create posts immediately after signup with no community guidelines acceptance step"
Remediation: While not always an immediate rejection trigger, requiring ToS acceptance protects you legally and satisfies Apple's spirit of guideline 1.2.
1. Add a community guidelines acceptance step to account creation or first-post flow
2. Record tos_accepted_at in the user record
3. Gate UGC creation behind this check server-side (not just in the UI)
4. Link to the full Community Guidelines from the acceptance prompt
Review the configuration in src/ or app/ directory for implementation patterns.
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.

External references

external · apple-guideline-1.2-ugc-tos — Apple App Store Review Guideline 1.2 — User-Generated Content (ToS acceptance)

Taxons

regulatory-conformance privacy-consent

History

2026-04-18·v1.0.0·Initial import from app-store-review-blockers·automated

Why it matters

Remediation

Gate UGC creation behind recorded terms acceptance — both in the UI and in the API.

// src/app/api/posts/route.ts
const user = await getUser(req);
if (!user.tos_accepted_at) {
  return Response.json({ error: 'Must accept community guidelines before posting' }, { status: 403 });
}

Detection

ID: tos-acceptance-before-posting
Severity: low
What to look for: Count all relevant instances and enumerate each. Look for a ToS/Community Guidelines acceptance flow in the onboarding or account creation screens. Search for termsAccepted, agreedToTerms, tos_accepted_at, community_guidelines_accepted in state, database schema, or user profile objects. Check if the posting flow is gated behind ToS acceptance (i.e., users cannot post without having agreed). Look for a checkbox, "I agree" button, or modal that appears before the first post.
Pass criteria: Users must explicitly agree to ToS and/or Community Guidelines (by tapping a checkbox or button) before they can post UGC. At least 1 implementation must be verified. This acceptance is recorded.
Fail criteria: Users can post UGC without ever having agreed to community guidelines or ToS — agreement is implicit or missing.
Skip (N/A) when: App has no user-generated content.
Detail on fail: "Users can create posts immediately after signup with no community guidelines acceptance step"
Remediation: While not always an immediate rejection trigger, requiring ToS acceptance protects you legally and satisfies Apple's spirit of guideline 1.2.
1. Add a community guidelines acceptance step to account creation or first-post flow
2. Record tos_accepted_at in the user record
3. Gate UGC creation behind this check server-side (not just in the UI)
4. Link to the full Community Guidelines from the acceptance prompt
Review the configuration in src/ or app/ directory for implementation patterns.
Cross-reference: For related patterns and deeper analysis, see the corresponding checks in other AuditBuffet audits covering this domain.