directus / directus

The flexible backend for all your projects 🐰 Turn your DB into a headless CMS, admin panels, or apps with a custom UI, instant APIs, auth & more.
https://directus.io
Other
27.87k stars 3.88k forks source link

Accountability object not available in activity hooks #17266

Open ernst86913 opened 1 year ago

ernst86913 commented 1 year ago

Describe the Bug

Custom Claims / custom accountability are a great feature of Directus. Unfortunately the (custom) accountability object is not passed through to activity hooks - where it would actually be needed for auditing purposes. Therefore it’s not possible to track activities based on custom claims / custom accountability.

To Reproduce

Write a custom claim, use custom claim information to enhance accountability object… listen to activity hooks… accountability object is always empty.

Errors Shown

No response

What version of Directus are you using?

9.22.3

What version of Node.js are you using?

6.14

What database are you using?

15

What browser are you using?

Chrome

How are you deploying Directus?

Docker

br41nslug commented 1 year ago

As a side note: Are you sure thats "nodejs 6.14"? because that is far below the supported version of LTS (which is 18.x currently)

rijkvanzanten commented 1 year ago

@ernst86913 Can you share a minimal reproduction of a hook where you'd expect this to happen?

ernst86913 commented 1 year ago

@rijkvanzanten Having a look at the central items service, there are 3 calls of the ACTIVITY SERVICE... example:

            const activity = await activityService.createOne({
                action: Action.CREATE,
                user: this.accountability!.user,
                collection: this.collection,
                ip: this.accountability!.ip,
                user_agent: this.accountability!.userAgent,
                origin: this.accountability!.origin,
                item: primaryKey,
            });

Unfortunately in those calls the ACCOUNTABILITY object is not past over to the activityService... when the activityService emits a filter event after it is called (which I am listening to) I cannot use the accountability information to enrich the activity record with additional information like account information, division information, department information,........ which I later want to use to give access rights to activity logs e.g. to each business division....

So... my proposal would be to simply add the accountability to the activityService call... which can then be used to include it in the activity filter emit.

br41nslug commented 1 year ago

Not quite sure why i set it as improvement yesterday 😅 but i can confirm accountability is always null in any activity event independent of custom claims. Tested with this hook extension:

module.exports = function ({ filter }, {}) {
    filter('activity.create', function (input, meta, ctx) {
        console.log('accountability', ctx.accountability);
        return input;
    });
    filter('activity.update', function (input, meta, ctx) {
        console.log('accountability', ctx.accountability);
        return input;
    });
    filter('activity.delete', function (input, meta, ctx) {
        console.log('accountability', ctx.accountability);
        return input;
    });
}
ernst86913 commented 1 year ago

BTW - just had a look at revisions... same there as well...

ernst86913 commented 1 year ago

@br41nslug Hi - can you please also have a look at revisions? Or should I open a separate issue for it ?

br41nslug commented 1 year ago

Have a look at that PR i created, revisions are included in that 😄 Or did you mean in a place i have missed?

ernst86913 commented 1 year ago

Perfect - thank you

LG, Roman

Von meinem iPhone gesendet

On 24.01.2023, at 13:49, Brainslug @.***> wrote:



Have a look at that PR i created, revisions are included in that 😄

— Reply to this email directly, view it on GitHubhttps://github.com/directus/directus/issues/17266#issuecomment-1401891141, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALNHDZAE2AJEEI3QJVOB2KLWT7FUVANCNFSM6AAAAAAUC3S4PU. You are receiving this because you were mentioned.Message ID: @.***>