Open jespr opened 7 years ago
maybe audit the first x characters so the diff is visible ... otherwise just got to find something that is not confusing to end-users that will see the metric ... or some plain 'old -> new'
Why would end-users care what their crypted_password
is (let's just continue using that example). I would freak out if I saw that was logged in an audit table.
For other things, it might make sense to log the first few chars.
yeah true ... should be hidden from the user ... then it can be whatever makes sense ...
On Wed, Nov 16, 2016 at 11:04 AM, Jesper Christiansen < notifications@github.com> wrote:
Why would end-users care what their crypted_password is (let's just continue using that example). I would freak out if I saw that was logged in an audit table.
For other things, it might make sense to log the first few chars.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/grosser/cia/issues/12#issuecomment-261039769, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAsZx9EnMZzG-OIMr3lCVZPFiOoYelqks5q-1OigaJpZM4K0SkB .
Your example in the README uses
crypted_password
. It might make sense to audit that the value of that field changed, but I don't think it makes sense to actually store theold
andnew
value of that field in the audits table, as that would leak password values to another table than wherever the password is currently stored.What do you say @grosser ?