Audit

gabriellsh · gabriellsh · commit a6ce0861228c · 2025-02-07T16:55:19.000-03:00
diff --git a/apps/meteor/app/api/server/v1/users.ts b/apps/meteor/app/api/server/v1/users.ts
@@ -25,6 +25,7 @@ import { Match, check } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
 import type { Filter } from 'mongodb';
 
+import { UserChangedAuditStore } from '../../../../server/lib/auditServerEvents/userChanged';
 import { i18n } from '../../../../server/lib/i18n';
 import { resetUserE2EEncriptionKey } from '../../../../server/lib/resetUserE2EKey';
 import { sendWelcomeEmail } from '../../../../server/lib/sendWelcomeEmail';
@@ -101,10 +102,17 @@ API.v1.addRoute(
 			if (userData.name && !validateNameChars(userData.name)) {
 				return API.v1.failure('Name contains invalid characters');
 			}
+			const auditStore = new UserChangedAuditStore({
+				_id: this.bodyParams.userId,
+				ip: this.requestIp,
+				useragent: this.request.headers['user-agent'] || '',
+				username: (await Meteor.userAsync())?.username || '',
+			});
 
-			const updater = Users.getUpdater();
-			await saveUser(this.userId, userData, updater);
+			const _updater = Users.getUpdater();
+			await saveUser(this.userId, userData, { _updater, auditStore });
 
+			// Waiting for customfields refactor to be merged, then this will be audited within saveUser function
 			if (this.bodyParams.data.customFields) {
 				await saveCustomFields(this.bodyParams.userId, this.bodyParams.data.customFields);
 			}
@@ -117,7 +125,20 @@ API.v1.addRoute(
 				} = this.bodyParams;
 
 				await Meteor.callAsync('setUserActiveStatus', userId, active, Boolean(confirmRelinquish));
+				// This has no other use than for auditing active status changes
+				// 'setUserActiveStatus' has a lot of side effects making it difficult to use updater
+				// This updater should have been already commited by this point
+				_updater.set('active', active);
+			}
+
+			if (this.bodyParams.data.password || this.bodyParams.data.setRandomPassword) {
+				// Password is also not tracker by updater
+				_updater.set('services', { password: {} });
 			}
+
+			auditStore.setUpdateFilter(_updater._getUpdateFilter());
+			void auditStore.commitAuditEvent();
+
 			const { fields } = await this.parseJsonQuery();
 
 			const user = await Users.findOneById(this.bodyParams.userId, { projection: fields });
diff --git a/apps/meteor/app/lib/server/functions/saveUser/saveUser.ts b/apps/meteor/app/lib/server/functions/saveUser/saveUser.ts
@@ -21,7 +21,7 @@ import { saveNewUser } from './saveNewUser';
 import { sendPasswordEmail } from './sendUserEmail';
 import { validateUserData } from './validateUserData';
 import { validateUserEditing } from './validateUserEditing';
-import { asyncLocalStorage } from '../../../../../server/lib/auditServerEvents/userChanged';
+import type { UserChangedAuditStore } from '../../../../../server/lib/auditServerEvents/userChanged';
 
 export type SaveUserData = {
 	_id?: IUser['_id'];
@@ -50,7 +50,12 @@ export type SaveUserData = {
 export type UpdateUserData = RequiredField<SaveUserData, '_id'>;
 export const isUpdateUserData = (params: SaveUserData): params is UpdateUserData => '_id' in params && !!params._id;
 
-export const saveUser = async function (userId: IUser['_id'], userData: SaveUserData, _updater?: Updater<IUser>) {
+type SaveUserOptions = {
+	_updater?: Updater<IUser>;
+	auditStore?: UserChangedAuditStore;
+};
+
+export const saveUser = async function (userId: IUser['_id'], userData: SaveUserData, options?: SaveUserOptions) {
 	const oldUserData = userData._id && (await Users.findOneById(userData._id));
 	if (oldUserData && isUserFederated(oldUserData)) {
 		throw new Meteor.Error('Edit_Federated_User_Not_Allowed', 'Not possible to edit a federated user');
@@ -80,13 +85,12 @@ export const saveUser = async function (userId: IUser['_id'], userData: SaveUser
 		return saveNewUser(userData, sendPassword);
 	}
 
-	const store = asyncLocalStorage.getStore();
-	store?.setOriginalUser(oldUserData);
+	options?.auditStore?.setOriginalUser(oldUserData);
 
 	await validateUserEditing(userId, userData);
 
 	// update user
-	const updater = _updater || Users.getUpdater();
+	const updater = options?._updater || Users.getUpdater();
 
 	if (userData.hasOwnProperty('username') || userData.hasOwnProperty('name')) {
 		if (
@@ -152,9 +156,6 @@ export const saveUser = async function (userId: IUser['_id'], userData: SaveUser
 
 	// App IPostUserUpdated event hook
 	const userUpdated = await Users.findOneById(userData._id);
-	if (userUpdated) {
-		store?.setCurrentUser(userUpdated);
-	}
 
 	await callbacks.run('afterSaveUser', {
 		user: userUpdated,
