New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #16850 - Added record of password change to audit log #3970
Conversation
Can an existing organization member please verify this patch? |
2 similar comments
Can an existing organization member please verify this patch? |
Can an existing organization member please verify this patch? |
@theforeman-bot ok to test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some inline comments, but the main thing this is missing is tests for the model changes. Please add some to ensure the auditing happens on password change, and also not on a regular update.
end | ||
|
||
def set_password_changed | ||
self.password_changed = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be missing a conditional, will it not mark password_changed on every model validation?
@@ -445,6 +446,24 @@ def self.try_to_auto_create_user(login, password) | |||
user | |||
end | |||
|
|||
def password_changed | |||
@password_changed ||= nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unsure what ||= nil
is achieving here, should this just be an attr_reader :password_changed
?
@password_changed = value | ||
end | ||
|
||
def password_changed_changed? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this necessary? Doesn't AM::Dirty provide it?
|
||
def set_password_changed | ||
self.password_changed = true | ||
self.audit_comment = 'Password has been changed' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this necessary if the attribute's recorded?
@domcleal I changed pull request and to yours previous comments: 1.attr_reader is fine, thank you, 2. password_changed_changed? is neccessary because it working with virtual attribute and other things I rosolve please could yo look at that ? |
@@ -88,6 +90,7 @@ def self.name_format | |||
before_validation :verify_current_password, :if => Proc.new {|user| user == User.current}, | |||
:unless => Proc.new {|user| user.password.empty?} | |||
before_validation :prepare_password, :normalize_mail | |||
before_validation :set_password_changed, :if => Proc.new { |user| user.manage_password? && !user.password.blank? } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
!..blank? should be present?
@@ -320,6 +320,32 @@ def setup_user(operation) | |||
assert_includes record.errors.keys, :admin | |||
end | |||
|
|||
test "log of password change should be saved" do | |||
user = FactoryGirl.create(:user) | |||
user.password = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is rather hacky, reload the object from the database instead (User.find_by_id(user.id)
) and add a comment to state why (i.e. to clear the value of user.password).
user.save | ||
as_admin do | ||
user.password = "newpassword" | ||
user.valid? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
assert_valid user
@@ -320,6 +320,32 @@ def setup_user(operation) | |||
assert_includes record.errors.keys, :admin | |||
end | |||
|
|||
test "log of password change should be saved" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
audit, not log
end | ||
end | ||
|
||
test "log of password change shouldnt be saved" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- shouldn't, missing an apostrophe
- There is no password change here - it isn't that the log of a password change shouldn't be saved, it's that there is no audit log entry created when there is no password change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this test I want to test that , it should not mark password_changed on every model validation
|
||
test "log of password change shouldnt be saved" do | ||
user = FactoryGirl.create(:user) | ||
user.password = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto all comments above, they apply to this test too.
after_save :ensure_default_role | ||
after_save :unset_password_changed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing test coverage? A test should run two saves in a row and check for no second audit entry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dhlavac When I see your tests - it looks like you're calling at most .valid?
and .save
, so I'm not 100% positive this is ggcovered as per the comment above.
thanks @domcleal, I fixed all your comments, could you please take another look? |
assert_includes user.changed, "password_changed" | ||
assert user.save | ||
end | ||
user = User.find_by_id(user.id) #to clear the value of user.password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is this meant to test the after_save
, isn't it? Replacing the entire user object will also reset the value, so it doesn't test the callback.
@domcleal I have edited test which testing after_save |
@domcleal I hope Final version added assertion for Audit object to every test |
@@ -320,6 +320,68 @@ def setup_user(operation) | |||
assert_includes record.errors.keys, :admin | |||
end | |||
|
|||
test "audit of password change should be saved only once, second time audited changes should not contain password_changed" do | |||
user = FactoryGirl.create(:user) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please move the user creation to a setup
block, it's the same in all 3 hosts. You can group them in a context audits for password change
or similar.
after_save :ensure_default_role | ||
after_save :unset_password_changed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dhlavac When I see your tests - it looks like you're calling at most .valid?
and .save
, so I'm not 100% positive this is ggcovered as per the comment above.
@dLobatog Audit log was created before validation and after save I set the variable password_changed to false then I think this is correct, if I tested it is not still true. Thanks for comment tests were added to context and setup block was created. |
context "audits for password change" do | ||
def setup_user_for_audits | ||
user = FactoryGirl.create(:user) | ||
user = User.find_by_id(user.id) #to clear the value of user.password |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Useless assignment to variable - user.
Use find_by instead of dynamic find_by_id.
@@ -320,6 +320,71 @@ def setup_user(operation) | |||
assert_includes record.errors.keys, :admin | |||
end | |||
|
|||
context "audits for password change" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Block has too many lines. [57/25]
Merged, thanks @dhlavac. |
No description provided.