Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Audit logs contain full user details, for organization audit logs this extends the user read permissions #13949

Open
Labels
multi-orgtemporary label for multiple organizations related worksecurityArea: security
@Emyrk

Description

@Emyrk

Audit logs currently expose a full user per log:

User*User`json:"user"`

This implicitly grants a "read" permission touser, even if the audit logs are scoped to an organization. Either we should strip down the user's returned fields, or return striped fields if the caller cannot read the user.

It feels more consistent to strip the information from all audit logs. The information is not 100% correct today anyway. An audit log from 1 month ago is joined with the user's table from today. So the log line does not record the user's state at the time of the event.

Metadata

Metadata

Assignees

No one assigned

    Labels

    multi-orgtemporary label for multiple organizations related worksecurityArea: security

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      [8]ページ先頭
      ©2009-2025 Movatter.jp