[#75] Auditing fixes (!113) · Merge requests · Notifications project / notifications-routing

Carina Antunes requested to merge 75-auditing-fixes into master Jan 10, 2023

From the issue:

For users - only audit username and email
For egroups - audit group identifier (instead of uuid)
Channel snapshot - avoid calling target groups and users inside (its confusing)
Computed users for intersection - it's confusing (in reality its duplicated from channel snapshot, so perhaps we can just add the key total to it
Unsubscribed users is being audited twice

Closes #75

Last comment merge_requests/110#note_6299000:

It's still not ready. I propose we create a new MR with the same branch because it's getting harder and harder to track. Please go over all cases and only mark as ready to review after it's ready.

I've checked and in the user auditing we're auditing the entire user list (including users from e-groups which we agreed on ommiting for privacy reasons since it's a privacy leak - because someone can add a e-group they don't own and therefor don't have access to the user list but see the info in the auditing), eg user-audit.json. We also agreed for external on only auditing email/username.

I propose adding thorough test cases to auditing, specially to make sure we don't leak private data in the external audit.

We're also auditing get group users twice, can we access if we can change the implementation to fetch them only once? eg internal-direct-group-intersect.json

Edited Jan 10, 2023 by Carina Antunes

[#75] Auditing fixes

Merge request reports