recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Remove explicit administrative actions from the user activity log

Summary:
Depends on D20669. Ref T13343. Currently, the user activity log includes a number of explicit administrative actions which some administrator (not a normal user or a suspicious remote address) takes. In most/all cases, these changes are present in the user profile transaction log too, and that's //generally// a better place for them (for example, it doesn't get GC'd after a couple months).

Some of these are so old that they have no writers (like DELETE and EDIT). I'd generally like to modernize this a bit so we can reference it in email (see T13343) and I'd like to modularize the event types as part of that -- partly, cleaning this up makes that modularization easier.

There's maybe some hand-wavey argument that administrative vs non-administrative events could be related and might be useful to see in a single log, but I can't recall a time when that was actually true, and we could always build that kind of view later by just merging the two log sources, or by restoring double-writes for some subset of events. In practice, I've used this log mostly to look for obvious red flags when users report authentication difficulty (e.g., many unauthorized login attempts), and removing administrative actions from the log is only helpful in that use case.

Test Plan: Grepped for all the affected constants, no more hits in the codebase.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13343

Differential Revision: https://secure.phabricator.com/D20670

epriestley 4fd473e7 2ee5e710

+1 -109
-54
src/applications/people/editor/PhabricatorUserEditor.php
··· 74 74 throw $ex; 75 75 } 76 76 77 - $log = PhabricatorUserLog::initializeNewLog( 78 - $this->requireActor(), 79 - $user->getPHID(), 80 - PhabricatorUserLog::ACTION_CREATE); 81 - $log->setNewValue($email->getAddress()); 82 - $log->save(); 83 - 84 77 if ($is_reassign) { 85 78 $log = PhabricatorUserLog::initializeNewLog( 86 79 $this->requireActor(), ··· 100 93 } 101 94 102 95 103 - /** 104 - * @task edit 105 - */ 106 - public function updateUser( 107 - PhabricatorUser $user, 108 - PhabricatorUserEmail $email = null) { 109 - 110 - if (!$user->getID()) { 111 - throw new Exception(pht('User has not been created yet!')); 112 - } 113 - 114 - $user->openTransaction(); 115 - $user->save(); 116 - if ($email) { 117 - $email->save(); 118 - } 119 - 120 - $log = PhabricatorUserLog::initializeNewLog( 121 - $this->requireActor(), 122 - $user->getPHID(), 123 - PhabricatorUserLog::ACTION_EDIT); 124 - $log->save(); 125 - 126 - $user->saveTransaction(); 127 - 128 - return $this; 129 - } 130 - 131 - 132 96 /* -( Editing Roles )------------------------------------------------------ */ 133 97 134 98 /** ··· 151 115 return $this; 152 116 } 153 117 154 - $log = PhabricatorUserLog::initializeNewLog( 155 - $actor, 156 - $user->getPHID(), 157 - PhabricatorUserLog::ACTION_SYSTEM_AGENT); 158 - $log->setOldValue($user->getIsSystemAgent()); 159 - $log->setNewValue($system_agent); 160 - 161 118 $user->setIsSystemAgent((int)$system_agent); 162 119 $user->save(); 163 - 164 - $log->save(); 165 120 166 121 $user->endWriteLocking(); 167 122 $user->saveTransaction(); ··· 189 144 return $this; 190 145 } 191 146 192 - $log = PhabricatorUserLog::initializeNewLog( 193 - $actor, 194 - $user->getPHID(), 195 - PhabricatorUserLog::ACTION_MAILING_LIST); 196 - $log->setOldValue($user->getIsMailingList()); 197 - $log->setNewValue($mailing_list); 198 - 199 147 $user->setIsMailingList((int)$mailing_list); 200 148 $user->save(); 201 - 202 - $log->save(); 203 149 204 150 $user->endWriteLocking(); 205 151 $user->saveTransaction();
-20
src/applications/people/storage/PhabricatorUserLog.php
··· 11 11 const ACTION_LOGIN_LEGALPAD = 'login-legalpad'; 12 12 const ACTION_RESET_PASSWORD = 'reset-pass'; 13 13 14 - const ACTION_CREATE = 'create'; 15 - const ACTION_EDIT = 'edit'; 16 - 17 - const ACTION_ADMIN = 'admin'; 18 - const ACTION_SYSTEM_AGENT = 'system-agent'; 19 - const ACTION_MAILING_LIST = 'mailing-list'; 20 - const ACTION_DISABLE = 'disable'; 21 - const ACTION_APPROVE = 'approve'; 22 - const ACTION_DELETE = 'delete'; 23 - 24 14 const ACTION_CONDUIT_CERTIFICATE = 'conduit-cert'; 25 15 const ACTION_CONDUIT_CERTIFICATE_FAILURE = 'conduit-cert-fail'; 26 16 ··· 31 21 const ACTION_EMAIL_REASSIGN = 'email-reassign'; 32 22 33 23 const ACTION_CHANGE_PASSWORD = 'change-password'; 34 - const ACTION_CHANGE_USERNAME = 'change-username'; 35 24 36 25 const ACTION_ENTER_HISEC = 'hisec-enter'; 37 26 const ACTION_EXIT_HISEC = 'hisec-exit'; ··· 59 48 pht('Login: Signed Required Legalpad Documents'), 60 49 self::ACTION_LOGOUT => pht('Logout'), 61 50 self::ACTION_RESET_PASSWORD => pht('Reset Password'), 62 - self::ACTION_CREATE => pht('Create Account'), 63 - self::ACTION_EDIT => pht('Edit Account'), 64 - self::ACTION_ADMIN => pht('Add/Remove Administrator'), 65 - self::ACTION_SYSTEM_AGENT => pht('Add/Remove System Agent'), 66 - self::ACTION_MAILING_LIST => pht('Add/Remove Mailing List'), 67 - self::ACTION_DISABLE => pht('Enable/Disable'), 68 - self::ACTION_APPROVE => pht('Approve Registration'), 69 - self::ACTION_DELETE => pht('Delete User'), 70 51 self::ACTION_CONDUIT_CERTIFICATE 71 52 => pht('Conduit: Read Certificate'), 72 53 self::ACTION_CONDUIT_CERTIFICATE_FAILURE ··· 77 58 self::ACTION_EMAIL_VERIFY => pht('Email: Verify'), 78 59 self::ACTION_EMAIL_REASSIGN => pht('Email: Reassign'), 79 60 self::ACTION_CHANGE_PASSWORD => pht('Change Password'), 80 - self::ACTION_CHANGE_USERNAME => pht('Change Username'), 81 61 self::ACTION_ENTER_HISEC => pht('Hisec: Enter'), 82 62 self::ACTION_EXIT_HISEC => pht('Hisec: Exit'), 83 63 self::ACTION_FAIL_HISEC => pht('Hisec: Failed Attempt'),
-4
src/applications/people/xaction/PhabricatorUserApproveTransaction.php
··· 19 19 20 20 public function applyExternalEffects($object, $value) { 21 21 $user = $object; 22 - $this->newUserLog(PhabricatorUserLog::ACTION_APPROVE) 23 - ->setOldValue((bool)$user->getIsApproved()) 24 - ->setNewValue((bool)$value) 25 - ->save(); 26 22 27 23 $actor = $this->getActor(); 28 24 $title = pht(
-7
src/applications/people/xaction/PhabricatorUserDisableTransaction.php
··· 17 17 $object->setIsDisabled((int)$value); 18 18 } 19 19 20 - public function applyExternalEffects($object, $value) { 21 - $this->newUserLog(PhabricatorUserLog::ACTION_DISABLE) 22 - ->setOldValue((bool)$object->getIsDisabled()) 23 - ->setNewValue((bool)$value) 24 - ->save(); 25 - } 26 - 27 20 public function getTitle() { 28 21 $new = $this->getNewValue(); 29 22 if ($new) {
-9
src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php
··· 17 17 $object->setIsAdmin((int)$value); 18 18 } 19 19 20 - public function applyExternalEffects($object, $value) { 21 - $user = $object; 22 - 23 - $this->newUserLog(PhabricatorUserLog::ACTION_ADMIN) 24 - ->setOldValue($this->getOldValue()) 25 - ->setNewValue($value) 26 - ->save(); 27 - } 28 - 29 20 public function validateTransactions($object, array $xactions) { 30 21 $user = $object; 31 22 $actor = $this->getActor();
+1 -10
src/applications/people/xaction/PhabricatorUserTransactionType.php
··· 1 1 <?php 2 2 3 3 abstract class PhabricatorUserTransactionType 4 - extends PhabricatorModularTransactionType { 5 - 6 - protected function newUserLog($action) { 7 - return PhabricatorUserLog::initializeNewLog( 8 - $this->getActor(), 9 - $this->getObject()->getPHID(), 10 - $action); 11 - } 12 - 13 - } 4 + extends PhabricatorModularTransactionType {}
-5
src/applications/people/xaction/PhabricatorUserUsernameTransaction.php
··· 24 24 $old_username = $this->getOldValue(); 25 25 $new_username = $this->getNewValue(); 26 26 27 - $this->newUserLog(PhabricatorUserLog::ACTION_CHANGE_USERNAME) 28 - ->setOldValue($old_username) 29 - ->setNewValue($new_username) 30 - ->save(); 31 - 32 27 // The SSH key cache currently includes usernames, so dirty it. See T12554 33 28 // for discussion. 34 29 PhabricatorAuthSSHKeyQuery::deleteSSHKeyCache();