From dfb216a8df0a8241f8b5531712dd12570814b155 Mon Sep 17 00:00:00 2001 From: rubenwardy Date: Sat, 5 Dec 2020 02:41:53 +0000 Subject: [PATCH] Log sensitive account changes --- app/blueprints/users/account.py | 13 ++++++++++++- app/models.py | 5 +++-- app/templates/admin/audit.html | 2 ++ app/templates/base.html | 2 +- migrations/versions/c154912eaa0c_.py | 24 ++++++++++++++++++++++++ 5 files changed, 42 insertions(+), 4 deletions(-) create mode 100644 migrations/versions/c154912eaa0c_.py diff --git a/app/blueprints/users/account.py b/app/blueprints/users/account.py index 6c9e4786..0713d4e6 100644 --- a/app/blueprints/users/account.py +++ b/app/blueprints/users/account.py @@ -24,7 +24,7 @@ from wtforms.validators import * from app.models import * from app.tasks.emails import sendVerifyEmail, sendEmailRaw -from app.utils import randomString, make_flask_login_password, is_safe_url, check_password_hash +from app.utils import randomString, make_flask_login_password, is_safe_url, check_password_hash, addAuditLog from passlib.pwd import genphrase from . import bp @@ -112,6 +112,9 @@ def register(): user = User(form.username.data, False, form.email.data, make_flask_login_password(form.password.data)) db.session.add(user) + addAuditLog(AuditSeverity.USER, user, "Registered", + url_for("users.profile", username=user.username)) + token = randomString(32) ver = UserEmailVerification() @@ -142,6 +145,9 @@ def forgot_password(): if user: token = randomString(32) + addAuditLog(AuditSeverity.USER, user, "(Anonymous) requested a password reset", + url_for("users.profile", username=user.username), None) + ver = UserEmailVerification() ver.user = user ver.token = token @@ -188,6 +194,8 @@ def handle_set_password(form): flash("Passwords do not much", "danger") return + addAuditLog(AuditSeverity.USER, current_user, "Changed their password", url_for("users.profile", username=current_user.username)) + current_user.password = make_flask_login_password(form.password.data) db.session.commit() @@ -259,6 +267,9 @@ def verify_email(): flash("Unknown verification token!", "danger") return redirect(url_for("homepage.home")) + addAuditLog(AuditSeverity.USER, ver.user, "Confirmed their email", + url_for("users.profile", username=ver.user.username)) + was_activating = not ver.user.is_active ver.user.is_active = True ver.user.email = ver.email diff --git a/app/models.py b/app/models.py index 69d30d66..9e89b30a 100644 --- a/app/models.py +++ b/app/models.py @@ -1366,8 +1366,9 @@ class PackageReview(db.Model): class AuditSeverity(enum.Enum): NORMAL = 0 # Normal user changes - EDITOR = 1 # Editor changes - MODERATION = 2 # Destructive / moderator changes + USER = 1 # Security user changes + EDITOR = 2 # Editor changes + MODERATION = 3 # Destructive / moderator changes def __str__(self): return self.name diff --git a/app/templates/admin/audit.html b/app/templates/admin/audit.html index c3915482..483dc018 100644 --- a/app/templates/admin/audit.html +++ b/app/templates/admin/audit.html @@ -26,6 +26,8 @@ Audit Log {% elif entry.severity == entry.severity.EDITOR %} + {% elif entry.severity == entry.severity.USER %} + {% endif %} diff --git a/app/templates/base.html b/app/templates/base.html index ef4ab51e..2b7f4083 100644 --- a/app/templates/base.html +++ b/app/templates/base.html @@ -7,7 +7,7 @@ {% block title %}title{% endblock %} - {{ config.USER_APP_NAME }} - + diff --git a/migrations/versions/c154912eaa0c_.py b/migrations/versions/c154912eaa0c_.py new file mode 100644 index 00000000..3263deac --- /dev/null +++ b/migrations/versions/c154912eaa0c_.py @@ -0,0 +1,24 @@ +"""empty message + +Revision ID: c154912eaa0c +Revises: 7f166b5218d7 +Create Date: 2020-12-05 02:29:16.706564 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = 'c154912eaa0c' +down_revision = '7f166b5218d7' +branch_labels = None +depends_on = None + + +def upgrade(): + op.execute("COMMIT") + op.execute("ALTER TYPE auditseverity ADD VALUE 'USER'") + +def downgrade(): + pass