-
Notifications
You must be signed in to change notification settings - Fork 631
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logging feature #832
Comments
While I don't believe this is useful in every application, I can definitely see a case for auditing sometimes. Perhaps it's worth opening up the github wiki to allow more space for documenting common patterns. Spontaneously, rolling your own auditing would be to override the methods we expose in class ApplicationController < ActionController::Base
include Pundit::Authorization
private
def authorize(record, query = nil, policy_class: nil)
audit(...) { super }
end
def skip_authorization = audit(...) { super }
# ... and so on.
end There are however a few areas that are tricky to reach:
There might be some room to adjust the implementation to make these easier to audit. |
Thanks @Burgestrand! I would specifically like to audit access-denied scenarios (i.e. raised authorization errors). Any suggestions for this? |
Oh, absolutely! You would probably Lines 27 to 29 in ec75796
So, to copy the README with some changes: class ApplicationController < ActionController::Base
include Pundit::Authorization
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
private
def user_not_authorized(error)
audit(:access_denied, message: error.message, policy: error.policy, record: error.record, query: error.query)
# ...
end
end Again, this won't capture |
@Burgestrand Yes but the issue there is using integrations that already rescue this, such as ActiveAdmin. This is why it would be great if pundit could do the logging internally. |
Specifically ActiveAdmin aren't using Having a Pundit adapter makes sense, but it also makes an internal audit/logging solution in Pundit unlikely to be sufficient and you would need to roll your own auditing for this case either way. Another style is administrate which does use Something I haven't tried and is rails-specific is that using the error reporter to listen for |
Thank you! |
Please consider
Is your feature request related to a problem? Please describe.
I would like to have logging of unauthorized access events. This is useful for security, debugging and general usage information.
Describe the solution you'd like
Option to enable logging. Possibly options for log level and events (e.g. all authorization events or just unauthorized events).
Describe alternatives you've considered
https://github.com/stevehodges/pundit_logger
These are complicated monkey-patches that can break. Also probably does not cover all use cases because it does
rescue Pundit::NotAuthorizedError
, I think it would not work with integrations that already do that (e.g. ActiveAdmin).The text was updated successfully, but these errors were encountered: