Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Fallback Mechanism and Audit Logging for Profile Edits #2147

Closed
krishna619 opened this issue Apr 3, 2024 · 3 comments
Closed

Implement Fallback Mechanism and Audit Logging for Profile Edits #2147

krishna619 opened this issue Apr 3, 2024 · 3 comments
Assignees
@krishna619
Labels
feature request security Security fix

Comments

@krishna619
Copy link

Is your feature request related to a problem? Please describe.
In light of recent security vulnerabilities discovered, #2131, we should implement a robust fallback/recovery mechanism and an audit logging system to enhance the security and integrity of user profile management.

Users may lose access to their accounts due to unauthorized profile changes, especially in roles and permissions. We need to implement a recovery mechanism that allows users to restore access to their accounts.

Recovery Options:
Provide users with options to recover their accounts via email verification or security questions.

Audit Logging System

To track and ensure the authorized use of profile editing capabilities, an audit log should be maintained. It will record every change made to user profiles along with who made the change.

Suggested Features:

  1. Log Entries: Capture the timestamp, user ID of the editor, affected user ID, and a description of the change.
  2. Alert System: Notify original users and admins of changes made to profiles, especially role changes.

Use Cases

  1. SuperAdmins: Should be able to edit all profiles and have access to audit logs and recovery options.
  2. Admins: Can edit profiles at or below their access level, except SuperAdmin profiles. They should have access to recovery options but limited access to audit logs.
  3. Users/Members: Limited to editing their own profiles with simplified recovery options and no access to audit logs.

Questions/Considerations:

  1. What would be the criteria for triggering a temporary account lockdown?
  2. How long should audit logs be retained?
  3. Should there be an escalation process for disputed profile changes?
@krishna619 krishna619 mentioned this issue Apr 3, 2024
Open
@github-actions github-actions bot added security Security fix unapproved Unapproved for Pull Request labels Apr 3, 2024
@github-actions GitHub Actions
Copy link

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

@github-actions github-actions bot added the no-issue-activity No issue activity label Apr 14, 2024
@krishna619
Copy link
Author

@palisadoes what’s your take on this?
If we require this functionality, I am ready to work on this.

@github-actions github-actions bot removed the no-issue-activity No issue activity label Apr 17, 2024
@Huy1996 Huy1996 removed the unapproved Unapproved for Pull Request label Apr 18, 2024
@krishna619 krishna619 mentioned this issue Apr 22, 2024
Closed
@pranshugupta54
Copy link
Member

It was decided to take Audit loggings in future and not now.

#2195 (comment)

We had plan of making a separate page for Audit logs with filtering options.

@krishna619 krishna619 closed this as not planned Won't fix, can't repro, duplicate, stale Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@krishna619 krishna619

Labels
feature request security Security fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@krishna619 @Huy1996 @pranshugupta54