Create audit log entry when password is invalidated #736
Assignees
Labels
behavior verified
Behavior has been manually verified
Comments
matthew-white
added a commit
that referenced
this issue
Jan 21, 2023
2 tasks
matthew-white
added a commit
that referenced
this issue
Jan 24, 2023
|
Tested with Success!
|
srujner
added
behavior verified
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
/v1/users/reset/initiate initiates a password reset. If ?invalidate=true is specified, then the existing password is also immediately invalidated. The results of /v1/users/reset/initiate don't appear in the audit log. I think it makes sense that initiating a password reset isn't logged. However, if a password is invalidated, I think it'd be a good idea to log that, since that results in an immediate change to an existing resource. Only sitewide administrators can invalidate another user's password.
In terms of which action is logged, I think we could use
user.update. Changing a password also logsuser.update.Note for the QA team: This change can be verified by clicking "Reset password" in the actions dropdown for a user on the Users page. Resetting a user's password from that page will invalidate it, which should now result in a new entry in the server audit log.
The text was updated successfully, but these errors were encountered: