Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • N notifications-routing
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 10
    • Issues 10
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 2
    • Merge requests 2
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Notifications project
  • notifications-routing
  • Merge requests
  • !113

[#75] Auditing fixes

  • Review changes

  • Download
  • Email patches
  • Plain diff
Open Carina Antunes requested to merge 75-auditing-fixes into master Jan 10, 2023
  • Overview 0
  • Commits 23
  • Pipelines 2
  • Changes 12

From the issue:

  • For users - only audit username and email
  • For egroups - audit group identifier (instead of uuid)
  • Channel snapshot - avoid calling target groups and users inside (its confusing)
  • Computed users for intersection - it's confusing (in reality its duplicated from channel snapshot, so perhaps we can just add the key total to it
  • Unsubscribed users is being audited twice

Closes #75

Last comment merge_requests/110#note_6299000:

It's still not ready. I propose we create a new MR with the same branch because it's getting harder and harder to track. Please go over all cases and only mark as ready to review after it's ready.

I've checked and in the user auditing we're auditing the entire user list (including users from e-groups which we agreed on ommiting for privacy reasons since it's a privacy leak - because someone can add a e-group they don't own and therefor don't have access to the user list but see the info in the auditing), eg user-audit.json. We also agreed for external on only auditing email/username.

I propose adding thorough test cases to auditing, specially to make sure we don't leak private data in the external audit.

We're also auditing get group users twice, can we access if we can change the implementation to fetch them only once? eg internal-direct-group-intersect.json

Edited Jan 10, 2023 by Carina Antunes
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: 75-auditing-fixes