Add setting to require consent for notifications

Ensure GDPR compliance by default (Article 25 GDPR – privacy by design
and by default). Under GDPR, consent must be freely given, specific,
informed and unambiguous [1]. We were subscribing users without
explicity consent, which goes against the "No pre-ticked boxes"
principle.

For compatibility with existing installations, we're using a setting,
disabled by default. Once we release version 2.4.0 we will enable it by
default, which won't affect existing installations but only new ones.

[1] https://gdprinfo.eu/best-gdpr-newsletter-consent-examples-a-complete-guide-to-compliant-email-marketing

app/models/setting.rb

@@ -91,6 +91,7 @@ class Setting < ApplicationRecord
         "feature.machine_learning": false,
         "feature.remove_investments_supports": true,
         "feature.cookies_consent": false,
+        "feature.gdpr.require_consent_for_notifications": false,
         "homepage.widgets.feeds.debates": true,
         "homepage.widgets.feeds.processes": true,
         "homepage.widgets.feeds.proposals": true,

app/models/user.rb

@@ -1,6 +1,9 @@
 class User < ApplicationRecord
   include Verification
   attribute :registering_from_web, default: false
+  %i[newsletter email_digest email_on_direct_message].each do |field|
+    attribute field, :boolean, default: -> { !Setting["feature.gdpr.require_consent_for_notifications"] }
+  end
 
   devise :database_authenticatable, :registerable, :confirmable, :recoverable, :rememberable,
          :trackable, :validatable, :omniauthable, :password_expirable, :secure_validatable,