Merge branch 'main' of https://github.com/d0ubIeU/phpMyFAQ

Author: d0ubIeU

CHANGELOG.md

@@ -11,6 +11,8 @@ This is a log of major user-visible changes in each phpMyFAQ release.
 - changed PHP requirement to PHP 8.4 or later (Thorsten)
 - added Symfony Router for frontend (Thorsten)
 - added API for glossary definitions (Thorsten)
+- added admin log CSV export feature (Thorsten)
+- improved audit and activity log with comprehensive security event tracking (Thorsten)
 - improved API errors with formatted RFC 7807 Problem Details JSON responses (Thorsten)
 - migrated codebase to use PHP 8.4 language features (Thorsten)
 

composer.lock

@@ -20,6 +20,7 @@ import {
   handleCreateReport,
   handleDeleteAdminLog,
   handleDeleteSessions,
+  handleExportAdminLog,
   handleSessions,
   handleSessionsFilter,
   handleStatistics,
@@ -141,6 +142,7 @@ document.addEventListener('DOMContentLoaded', async (): Promise<void> => {
 
   // Statistics
   handleDeleteAdminLog();
+  handleExportAdminLog();
   handleStatistics();
   handleCreateReport();
   handleTruncateSearchTerms();

phpmyfaq/admin/assets/src/index.ts

@@ -17,6 +17,57 @@ import { deleteAdminLog } from '../api';
 import { pushErrorNotification, pushNotification } from '../../../../assets/src/utils';
 import { Response } from '../interfaces';
 
+export const handleExportAdminLog = (): void => {
+  const buttonExportAdminLog = document.getElementById('pmf-export-admin-log') as HTMLButtonElement | null;
+
+  if (buttonExportAdminLog) {
+    buttonExportAdminLog.addEventListener('click', async (event: Event): Promise<void> => {
+      event.preventDefault();
+      const target = event.currentTarget as HTMLElement;
+      const csrf = target.getAttribute('data-pmf-csrf');
+
+      if (!csrf) {
+        pushErrorNotification('Missing CSRF token');
+        return;
+      }
+
+      try {
+        const response = await fetch('/admin/api/statistics/admin-log/export', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({ csrf }),
+        });
+
+        if (response.ok) {
+          const blob = await response.blob();
+          const url = window.URL.createObjectURL(blob);
+          const contentDisposition = response.headers.get('Content-Disposition');
+          const filename = contentDisposition
+            ? contentDisposition.split('filename=')[1]?.replace(/"/g, '')
+            : 'admin-log-export.csv';
+
+          const a = document.createElement('a');
+          a.href = url;
+          a.download = filename;
+          document.body.appendChild(a);
+          a.click();
+          document.body.removeChild(a);
+          window.URL.revokeObjectURL(url);
+
+          pushNotification('Admin log exported successfully');
+        } else {
+          const errorData = await response.json();
+          pushErrorNotification(errorData.error || 'Export failed');
+        }
+      } catch (error) {
+        pushErrorNotification('Export error: ' + error);
+      }
+    });
+  }
+};
+
 export const handleDeleteAdminLog = (): void => {
   const buttonDeleteAdminLog = document.getElementById('pmf-delete-admin-log') as HTMLButtonElement | null;
 

phpmyfaq/admin/assets/src/statistics/admin-log.ts

@@ -8,6 +8,9 @@
     </h1>
     <div class="btn-toolbar mb-2 mb-md-0">
       <div class="btn-group mr-2">
+        <button class="btn btn-outline-success" id="pmf-export-admin-log" data-pmf-csrf="{{ csrfExportAdminLogToken }}">
+          <i aria-hidden="true" class="bi bi-download"></i> {{ buttonExportAdminLog }}
+        </button>
         <button class="btn btn-outline-danger" id="pmf-delete-admin-log" data-pmf-csrf="{{ csrfDeleteAdminLogToken }}">
           <i aria-hidden="true" class="bi bi-trash"></i> {{ buttonDeleteAdminLog }}
         </button>

phpmyfaq/assets/templates/admin/statistics/admin-log.twig

@@ -54,7 +54,7 @@
 
         {% if totalPages > 1 %}
           <p>
-            <strong>{{ msgPage }}{{ currentPage }} {{ from }} {{ msgSearchResults }}</strong>
+            <strong>{{ msgPage }}{{ currentPage }} {{ from }} {{ msgSearchResultsPagination }}</strong>
           </p>
         {% endif %}
 
@@ -122,7 +122,7 @@
         <h4 class="fst-italic">{{ msgMostPopularSearches }}</h4>
         <div class="clearfix">
           {% for popular in mostPopularSearches %}
-            <a class="btn btn-outline-primary m-1" href="?search={{ popular['searchterm'] }}">
+            <a class="btn btn-outline-primary m-1" href="./search.html?search={{ popular['searchterm'] }}">
               {{ popular['searchterm'] }} <span class="badge bg-info">{{ popular['number'] }}x</span>
             </a>
           {% endfor %}

phpmyfaq/assets/templates/default/search.twig

@@ -17,6 +17,7 @@
 
 declare(strict_types=1);
 
+use phpMyFAQ\Controller\Administration\Api\AdminLogController;
 use phpMyFAQ\Controller\Administration\Api\AttachmentController;
 use phpMyFAQ\Controller\Administration\Api\CategoryController;
 use phpMyFAQ\Controller\Administration\Api\CommentController;
@@ -522,6 +523,11 @@
         'methods' => 'POST',
     ],
     // Statistics API
+    'admin.api.statistics.adminlog.export' => [
+        'path' => '/statistics/admin-log/export',
+        'controller' => [AdminLogController::class, 'export'],
+        'methods' => 'POST',
+    ],
     'admin.api.statistics.adminlog.delete' => [
         'path' => '/statistics/admin-log',
         'controller' => [StatisticsController::class, 'deleteAdminLog'],

phpmyfaq/src/admin-api-routes.php

@@ -23,6 +23,7 @@
 use phpMyFAQ\Enums\PermissionType;
 use phpMyFAQ\Filter;
 use phpMyFAQ\Pagination;
+use phpMyFAQ\Pagination\UrlConfig;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Translation;
 use phpMyFAQ\Twig\Extensions\UserNameTwigExtension;
@@ -46,16 +47,14 @@ public function index(Request $request): Response
         $this->userHasPermission(PermissionType::STATISTICS_ADMINLOG);
 
         $itemsPerPage = 15;
-        $page = Filter::filterVar($request->attributes->get('page'), FILTER_VALIDATE_INT, 1);
+        $page = Filter::filterVar($request->query->get('page'), FILTER_VALIDATE_INT, 1);
 
-        // Pagination options
-        $options = [
-            'baseUrl' => $request->getUri(),
-            'total' => $this->adminLog->getNumberOfEntries(),
-            'perPage' => $itemsPerPage,
-            'pageParamName' => 'page',
-        ];
-        $pagination = new Pagination($options);
+        $pagination = new Pagination(
+            baseUrl: $request->getUri(),
+            total: $this->adminLog->getNumberOfEntries(),
+            perPage: $itemsPerPage,
+            urlConfig: new UrlConfig(pageParamName: 'page'),
+        );
 
         $loggingData = $this->adminLog->getAll();
 
@@ -68,7 +67,9 @@ public function index(Request $request): Response
             ...$this->getHeader($request),
             ...$this->getFooter(),
             'headerAdminLog' => Translation::get(key: 'ad_menu_adminlog'),
+            'buttonExportAdminLog' => Translation::get(key: 'msgAdminLogExportCsv'),
             'buttonDeleteAdminLog' => Translation::get(key: 'ad_adminlog_del_older_30d'),
+            'csrfExportAdminLogToken' => Token::getInstance($this->session)->getTokenString('export-adminlog'),
             'csrfDeleteAdminLogToken' => Token::getInstance($this->session)->getTokenString('delete-adminlog'),
             'currentLocale' => $this->configuration->getLanguage()->getLanguage(),
             'pagination' => $pagination->render(),

phpmyfaq/src/phpMyFAQ/Controller/Administration/AdminLogController.php

@@ -0,0 +1,33 @@
+<?php
+
+/**
+ * The abstract Administration API controller
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <[email protected]>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-01-06
+ */
+
+namespace phpMyFAQ\Controller\Administration\Api;
+
+use phpMyFAQ\Administration\AdminLog;
+use phpMyFAQ\Controller\AbstractController;
+
+class AbstractAdministrationApiController extends AbstractController
+{
+    protected ?AdminLog $adminLog = null;
+
+    public function __construct()
+    {
+        parent::__construct();
+
+        $this->adminLog = $this->container->get(id: 'phpmyfaq.admin.admin-log');
+    }
+}

phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/AbstractAdministrationApiController.php

@@ -0,0 +1,99 @@
+<?php
+
+/**
+ * The Admin Log API Controller
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <[email protected]>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-01-06
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Controller\Administration\Api;
+
+use phpMyFAQ\Enums\AdminLogType;
+use phpMyFAQ\Enums\PermissionType;
+use phpMyFAQ\Session\Token;
+use phpMyFAQ\Translation;
+use phpMyFAQ\User;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Attribute\Route;
+
+final class AdminLogController extends AbstractAdministrationApiController
+{
+    /**
+     * @throws \Exception
+     */
+    #[Route(
+        path: './admin/api/statistics/admin-log/export',
+        name: 'admin.api.statistics.adminlog.export',
+        methods: ['POST'],
+    )]
+    public function export(Request $request): Response|JsonResponse
+    {
+        $this->userHasPermission(PermissionType::STATISTICS_ADMINLOG);
+
+        $data = json_decode($request->getContent());
+
+        if (!Token::getInstance($this->session)->verifyToken('export-adminlog', $data->csrf)) {
+            return $this->json(['error' => Translation::get(key: 'msgNoPermission')], Response::HTTP_UNAUTHORIZED);
+        }
+
+        $loggingData = $this->adminLog->getAll();
+
+        $handle = fopen('php://temp', 'r+');
+        fputcsv(
+            $handle,
+            ['ID', 'Date/Time', 'User ID', 'Username', 'IP Address', 'Action'],
+            separator: ',',
+            enclosure: '"',
+            eol: PHP_EOL,
+        );
+
+        foreach ($loggingData as $log) {
+            $user = new User($this->configuration);
+            $user->getUserById($log->getUserId());
+            $username = $user->getLogin();
+
+            fputcsv(
+                $handle,
+                [
+                    $log->getId(),
+                    date('Y-m-d H:i:s', $log->getTime()),
+                    $log->getUserId(),
+                    $username,
+                    $log->getIp(),
+                    $log->getText(),
+                ],
+                separator: ',',
+                enclosure: '"',
+                eol: PHP_EOL,
+            );
+        }
+
+        rewind($handle);
+        $content = stream_get_contents($handle);
+        fclose($handle);
+
+        $this->adminLog->log($this->currentUser, AdminLogType::DATA_EXPORT_LOGS->value);
+
+        $response = new Response($content);
+        $response->headers->set('Content-Type', 'text/csv');
+        $response->headers->set(
+            'Content-Disposition',
+            'attachment; filename="admin-log-export-' . date('Y-m-d-His') . '.csv"',
+        );
+
+        return $response;
+    }
+}