Refactor audit events for PasswordsController
What does this MR do and why?
Adds audit event types for PasswordsController. Refactors associated API helpers to use Gitlab::Audit::Auditor
to build audit events.
This affects the following services:
- ee/app/controllers/ee/passwords_controller.rb
This MR also adds a previously uncaught test case where a nonexistent (or secondary) email is used to retrieve a password. Previous code would add an audit event using a blank scope; since scope is required in the new audit framework, PasswordsController has been updated to not audit such events where resource
is not provided.
Verification steps
Passwords controller
This is an instance-level audit event and must be verified with admin access. This may only be possible in a local environment.
- Log out
- Click the password reset link
- Open the generated reset email and click the link
- Choose a new password
- Verify an audit event is created:
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #374107 (closed)