Limit displayed models in audit logging based on permissions #9181
Comments
th3hamm0r
added a commit
to th3hamm0r/wagtail
that referenced
this issue
Sep 16, 2022
Until now, a user could see the audit log for all (!) custom models, permissions haven't been checked yet. This may disclose sensitive information to unauthorized admin users. Now, only log entries of those content types are displayed, where the user has at least one permission. This change also fixes an issue with the log entries for pages: If the user only had access to specific parts of the sitetree, the audit log still contained all entries of the ancestor pages which the user actually couldn't view/edit. For this, parts of the UserPagePermissionsProxy's explorable_pages() have been extracted into a new viewable_pages() method. Fixes wagtail#9181
4 tasks
th3hamm0r
added a commit
to th3hamm0r/wagtail
that referenced
this issue
Sep 21, 2022
Until now, a user could see the audit log for all (!) custom models, permissions haven't been checked yet. This may disclose sensitive information to unauthorized admin users. Now, only log entries of those content types are displayed, where the user has at least one permission. This change also fixes an issue with the log entries for pages: If the user only had access to specific parts of the sitetree, the audit log still contained all entries of the ancestor pages which the user actually couldn't view/edit. For this, parts of the UserPagePermissionsProxy's explorable_pages() have been extracted into a new viewable_pages() method. Fixes wagtail#9181
th3hamm0r
added a commit
to th3hamm0r/wagtail
that referenced
this issue
Oct 25, 2022
Until now, a user could see the audit log for all (!) custom models, permissions haven't been checked yet. This may disclose sensitive information to unauthorized admin users. Now, only log entries of those content types are displayed, where the user has at least one permission. This change also fixes an issue with the log entries for pages: If the user only had access to specific parts of the sitetree, the audit log still contained all entries of the ancestor pages which the user actually couldn't view/edit. For this, parts of the UserPagePermissionsProxy's explorable_pages() have been extracted into a new viewable_pages() method. Fixes wagtail#9181
th3hamm0r
added a commit
to th3hamm0r/wagtail
that referenced
this issue
Oct 31, 2022
Until now, a user could see the audit log for all (!) custom models, permissions haven't been checked yet. This may disclose sensitive information to unauthorized admin users. Now, only log entries of those content types are displayed, where the user has at least one permission. This change also fixes an issue with the log entries for pages: If the user only had access to specific parts of the sitetree, the audit log still contained all entries of the ancestor pages which the user actually couldn't view/edit. For this, parts of the UserPagePermissionsProxy's explorable_pages() have been extracted into a new viewable_pages() method. Fixes wagtail#9181
th3hamm0r
added a commit
to th3hamm0r/wagtail
that referenced
this issue
Oct 9, 2023
Until now, a user could see the audit log for all custom models, permissions haven't been checked yet. Now, only log entries of those content types are displayed, where the user has at least one permission. The change also adds filtering to the action-dropdown. This avoids showing unnecessary action types, e.g. actions which aren't used at all. All 3 uses of action-dropdowns (site history, page history, generic history) only display those actions, which are used at least once. This partially fixes wagtail#9181.
4 tasks
|
reopening as #11020 is only a partial fix |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your proposal related to a problem?
Currently, a user which for example is only allowed to edit pages (like users of the default editor group), still sees every logged change of any model in the audit log, e.g. changed site settings or changed users (if a superuser has changed them for example), which he actually can't see/edit, therefore he often would not know of their existence, which is bad...
The user cannot view the underlying objects, because if the view permission is missing, there is no link, so that's good! But I think he should not see any log entries of models, for which he doesn't have at least the view permission.
Describe the solution you'd like
Basically, the querysets used for the filters and the listings should only use the content types, which at least can be viewed by the user.
On a first quick look I think it probably requires changes to the filter here (probably by adding/changing the API to contain a user to be used to filter
get_content_type_ids()):wagtail/wagtail/admin/views/reports/audit_logging.py
Lines 34 to 37 in 519caf2
and changes to the listing's queryset (probably by changing
viewable_by_user()):wagtail/wagtail/admin/views/reports/audit_logging.py
Lines 147 to 156 in 519caf2
If you are ok with my proposal, I could, maybe with some guidance, try to implement a PR for that.
The text was updated successfully, but these errors were encountered: