Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit add and remove ownership request action #8764

Merged
merged 11 commits into from
Aug 27, 2021
Merged

Audit add and remove ownership request action #8764

merged 11 commits into from
Aug 27, 2021

Conversation

joelverhagen
Copy link
Member

Audit the privileged action of add or removing (deleting) an ownership request. This should be audited for two reasons:

  1. This is a state-changing action (ownership requests are DB entities) and therefore should be audited on principal.
  2. When an admin flow is introduced to send ownership requests on behalf of a user (i.e. in bulk), the current user (site admin) is different from the sender user (current owner of the package).

Address https://github.com/NuGet/Engineering/issues/4025.

@joelverhagen joelverhagen requested a review from a team as a code owner August 26, 2021 21:20
@joelverhagen joelverhagen merged commit c98395f into dev Aug 27, 2021
@joelverhagen joelverhagen deleted the jver-audit branch August 27, 2021 18:02
@dannyjdev dannyjdev mentioned this pull request Aug 30, 2021
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@loic-sharma loic-sharma loic-sharma approved these changes

@zhhyu zhhyu zhhyu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joelverhagen @loic-sharma @zhhyu