Skip to content

Skip audit event on download of export, if download should be silent

Luke Duncalfe requested to merge 294168-suppress-download-archive-audit-event into master

What does this MR do and why?

If the instance has enabled Silent Admin Exports, and the user who is downloading the export is an admin, we now skip creating the audit event.

https://gitlab.com/gitlab-org/gitlab/-/issues/294168

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a project export
  2. As an instance admin (@root) download that project export when it's available
  3. View project audit events, go Secure > Audit events. You should see an audit event for the export download (this is existing functionality).
  4. Now enable the Silent Admin Exports setting.
    1. Enable the export_audit_events feature flag: On the rails console: Feature.enable(:export_audit_events).
    2. Go to /admin/application_settings/general, expand Import and Export Settings and check Silent Admin Exports.
  5. Wait a minute while for the application settings cache to expire.
  6. Download the export file again, and view the project audit events again. There should not be a new new audit event created.

Related to #294168

Merge request reports