fix: Add name to object being audited on access grant (#37856)

Author: KevLehman

apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts

@@ -18,5 +18,5 @@ beforeAddUserToRoom.patch(async (prev, users, room, actor) => {
 		throw new Error('error-room-is-abac-managed');
 	}
 
-	await Abac.checkUsernamesMatchAttributes(validUsers as string[], room.abacAttributes, room._id);
+	await Abac.checkUsernamesMatchAttributes(validUsers as string[], room.abacAttributes, room);
 });

ee/packages/abac/src/index.ts

@@ -463,7 +463,7 @@ export class AbacService extends ServiceClass implements IAbacService {
 		await this.onRoomAttributesChanged(room, updated?.abacAttributes || []);
 	}
 
-	async checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], objectId: string): Promise<void> {
+	async checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], object: IRoom): Promise<void> {
 		if (!usernames.length || !attributes.length) {
 			return;
 		}
@@ -486,7 +486,7 @@ export class AbacService extends ServiceClass implements IAbacService {
 
 		usernames.forEach((username) => {
 			// TODO: Add room name
-			void Audit.actionPerformed({ username }, { _id: objectId }, 'system', 'granted-object-access');
+			void Audit.actionPerformed({ username }, { _id: object._id, name: object.name }, 'system', 'granted-object-access');
 		});
 	}
 

ee/packages/abac/src/service.spec.ts

@@ -1037,12 +1037,14 @@ describe('AbacService (unit)', () => {
 		const attributes = [{ key: 'dept', values: ['eng'] }];
 
 		it('returns early (no query) when usernames array is empty', async () => {
-			await expect(service.checkUsernamesMatchAttributes([], attributes as any, 'objectId')).resolves.toBeUndefined();
+			await expect(
+				service.checkUsernamesMatchAttributes([], attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).resolves.toBeUndefined();
 			expect(mockUsersFind).not.toHaveBeenCalled();
 		});
 
 		it('returns early (no query) when attributes array is empty', async () => {
-			await expect(service.checkUsernamesMatchAttributes(['alice'], [], 'objectId')).resolves.toBeUndefined();
+			await expect(service.checkUsernamesMatchAttributes(['alice'], [], { _id: 'xxxxx', name: 'name' } as any)).resolves.toBeUndefined();
 			expect(mockUsersFind).not.toHaveBeenCalled();
 		});
 
@@ -1054,7 +1056,9 @@ describe('AbacService (unit)', () => {
 				}),
 			}));
 
-			await expect(service.checkUsernamesMatchAttributes(usernames, attributes as any, 'objectId')).resolves.toBeUndefined();
+			await expect(
+				service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).resolves.toBeUndefined();
 
 			expect(mockUsersFind).toHaveBeenCalledWith(
 				{
@@ -1085,7 +1089,9 @@ describe('AbacService (unit)', () => {
 				}),
 			}));
 
-			await expect(service.checkUsernamesMatchAttributes(usernames, attributes as any, 'objectId')).rejects.toMatchObject({
+			await expect(
+				service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).rejects.toMatchObject({
 				code: 'error-only-compliant-users-can-be-added-to-abac-rooms',
 			});
 		});
@@ -1099,7 +1105,9 @@ describe('AbacService (unit)', () => {
 				}),
 			}));
 
-			await expect(service.checkUsernamesMatchAttributes(usernames, attributes as any, 'objectId')).resolves.toBeUndefined();
+			await expect(
+				service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).resolves.toBeUndefined();
 
 			expect(mockCreateAuditServerEvent).toHaveBeenCalledTimes(usernames.length);
 			const calledUsernames = mockCreateAuditServerEvent.mock.calls.map(([, payload]: any[]) => payload?.subject?.username).filter(Boolean);
@@ -1116,7 +1124,9 @@ describe('AbacService (unit)', () => {
 				}),
 			}));
 
-			await expect(service.checkUsernamesMatchAttributes(usernames, attributes as any, 'objectId')).rejects.toMatchObject({
+			await expect(
+				service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).rejects.toMatchObject({
 				code: 'error-only-compliant-users-can-be-added-to-abac-rooms',
 			});
 

packages/core-services/src/types/IAbacService.ts

@@ -38,7 +38,7 @@ export interface IAbacService {
 	removeRoomAbacAttribute(rid: string, key: string, actor: AbacActor | undefined): Promise<void>;
 	addRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor | undefined): Promise<void>;
 	replaceRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor | undefined): Promise<void>;
-	checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], objectId: string): Promise<void>;
+	checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], object: IRoom): Promise<void>;
 	canAccessObject(
 		room: Pick<IRoom, '_id' | 't' | 'teamId' | 'prid' | 'abacAttributes'>,
 		user: Pick<IUser, '_id'>,