Skip to content

[#75] Auditing fixes

Carina Antunes requested to merge 75-auditing-fixes into master

From the issue:

  • For users - only audit username and email
  • For egroups - audit group identifier (instead of uuid)
  • Channel snapshot - avoid calling target groups and users inside (its confusing)
  • Computed users for intersection - it's confusing (in reality its duplicated from channel snapshot, so perhaps we can just add the key total to it
  • Unsubscribed users is being audited twice

Closes #75

Last comment merge_requests/110#note_6299000:

It's still not ready. I propose we create a new MR with the same branch because it's getting harder and harder to track. Please go over all cases and only mark as ready to review after it's ready.

I've checked and in the user auditing we're auditing the entire user list (including users from e-groups which we agreed on ommiting for privacy reasons since it's a privacy leak - because someone can add a e-group they don't own and therefor don't have access to the user list but see the info in the auditing), eg user-audit.json. We also agreed for external on only auditing email/username.

I propose adding thorough test cases to auditing, specially to make sure we don't leak private data in the external audit.

We're also auditing get group users twice, can we access if we can change the implementation to fetch them only once? eg internal-direct-group-intersect.json

Edited by Carina Antunes

Merge request reports

Loading