Skip to content

Refactor audit events for PasswordsController

Aaron Huntsman requested to merge 374107-refactor-passwords-controller-audit-events into master

What does this MR do and why?

Adds audit event types for PasswordsController. Refactors associated API helpers to use Gitlab::Audit::Auditor to build audit events.

This affects the following services:

  • ee/app/controllers/ee/passwords_controller.rb

This MR also adds a previously uncaught test case where a nonexistent (or secondary) email is used to retrieve a password. Previous code would add an audit event using a blank scope; since scope is required in the new audit framework, PasswordsController has been updated to not audit such events where resource is not provided.

Verification steps

Passwords controller

This is an instance-level audit event and must be verified with admin access. This may only be possible in a local environment.

  1. Log out
  2. Click the password reset link
  3. Open the generated reset email and click the link
  4. Choose a new password
  5. Verify an audit event is created: Screenshot_2023-03-31_at_3.40.41_AM

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #374107 (closed)

Edited by Aaron Huntsman

Merge request reports