-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Logging custom DDF events, such as updates to users. DDFHER-150
When updating a user, we want to log the changes done - this is part of a security policy by DDF. For most fields, the old and new value gets logged, but others may be ignored, or declared on a meta-level (such as password).
- Loading branch information
Showing
4 changed files
with
128 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
name: DPL logging | ||
description: Logging custom DDF events, such as updates to users. | ||
package: DPL | ||
type: module | ||
core_version_requirement: ^10 || ^11 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
<?php | ||
|
||
use Drupal\Component\Utility\DiffArray; | ||
use Drupal\Core\StringTranslation\TranslatableMarkup; | ||
use Drupal\user\Entity\User; | ||
|
||
/** | ||
* Implements hook_ENTITY_TYPE_presave(). | ||
* | ||
* When updating a user, we want to log the changes done - this is part of | ||
* a security policy by DDF. | ||
* For most fields, the old and new value gets logged, but others may be | ||
* ignored, or declared on a meta-level (such as password). | ||
*/ | ||
function dpl_logging_user_presave(User $user): void { | ||
$original_user = $user->original; | ||
|
||
if (!($original_user instanceof User)) { | ||
return; | ||
} | ||
|
||
$original_values = $original_user->toArray(); | ||
$values = $user->toArray(); | ||
$updates = DiffArray::diffAssocRecursive($values, $original_values); | ||
|
||
// Some fields are so meta that we do not need to log their changes. | ||
$ignored_updates = ['changed', 'metatag', 'field_password_expiration']; | ||
$diffs = []; | ||
|
||
foreach ($updates as $key => $value) { | ||
if (in_array($key, $ignored_updates)) { | ||
continue; | ||
} | ||
|
||
if ($key === 'roles') { | ||
$original_roles = $original_user->getRoles(); | ||
$new_roles = $user->getRoles(); | ||
|
||
// This results in the machine names of the roles. | ||
// We could also do a look up, to find the translated labels also, | ||
// but it is probably overkill for what this log will be used for. | ||
$added_roles = array_diff($new_roles, $original_roles); | ||
$removed_roles = array_diff($original_roles, $new_roles); | ||
|
||
if (!empty($added_roles)) { | ||
$diffs['roles_added'] = t( | ||
'New roles added to user: @roles', | ||
['@roles' => implode(', ', $added_roles)], | ||
['context' => 'DPL logging'] | ||
)->render(); | ||
} | ||
|
||
if (!empty($removed_roles)) { | ||
$diffs['roles_removed'] = t( | ||
'Old roles removed from user: @roles', | ||
['@roles' => implode(', ', $removed_roles)], | ||
['context' => 'DPL logging'] | ||
)->render(); | ||
} | ||
|
||
continue; | ||
} | ||
|
||
if ($key === 'pass') { | ||
// The password always shows up, but it does not always have an actual | ||
// value inserted - in that case, we'll filter it out. | ||
if (!empty(array_filter($value[0]))) { | ||
// We don't want to log the actual password change. It is useless as | ||
// it is hashed regardless. | ||
$diffs[$key] = t( | ||
'Password was updated', | ||
[], | ||
['context' => 'DPL logging'] | ||
)->render(); | ||
} | ||
|
||
continue; | ||
} | ||
|
||
// Getting human-readable label, with machine name as fallback. | ||
$label = $user->getFieldDefinition($key)?->getLabel() ?? $key; | ||
|
||
// Make sure the label is a string. Sometimes getLabel returns translation. | ||
$label = ($label instanceof TranslatableMarkup) ? $label->render() : $label; | ||
|
||
$original_value = $original_values[$key] ?? $value; | ||
|
||
$diffs[$key] = t( | ||
'@label: @original_value changed to @value', | ||
[ | ||
'@label' => $label, | ||
'@original_value' => $original_value[0]['value'] ?? NULL, | ||
'@value' => $value[0]['value'] ?? NULL, | ||
], | ||
['context' => 'DPL logging'] | ||
)->render(); | ||
} | ||
|
||
if (empty($diffs)) { | ||
return; | ||
} | ||
|
||
$values_string = implode("\r\n | ", $diffs); | ||
$message = t('User @name (@id) has been updated with the following values: @values', [ | ||
'@name' => $user->getAccountName(), | ||
'@id' => $user->id(), | ||
'@values' => $values_string, | ||
], ['context' => 'DPL logging']); | ||
|
||
$logger = \Drupal::logger('dpl_login'); | ||
$logger->notice('@message', [ | ||
'@message' => $message, | ||
]); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters