Ask Question
« General Questions on Nuxeo

Audit log when Document access is forbidden (User Cannot Read the Document)

How to create a Audit Log (or even a History line of Document) in Nuxeo when a User that don't have permission to read the , but try to access with a permalink?

That are some way to do by extension point?

I know is possible to do by listening events on document. (https://doc.nuxeo.com/display/NXDOC/Audit#Audit-Event)

But dont exists any event like “no_access_granted_for_document” or some other way to do?

-I think the Access Check (hasPermission) happens before the Audit be available for. I'm wrong?

Klyff Harlley
Member (237)   1   2   1 		03/05/2016 ( History)
0 votes
3 answers
2385 views
ANSWER
ANSWERS

You're right, there's no event sent when permissions checks failed and access to a document is denied. So what you're trying to do is not currently possible without changing some code inside Nuxeo.

Florent Guillaume
Member (36K)   6   8   8 		03/31/2016 ( History)
1 votes

Yes, I know that.

Thank you very much Florent!

Klyff Harlley
Member (237)   1   2   1 		04/03/2016 ( History)
0 votes

Hi Florent.

Yes, I thought about it. So, I'll try doing it inside AbstractSession.java (hasPermission methods), for having the event fired and a simple contrib to handle that event. It's be a good way? What do you think?

Thanks!

Klyff Harlley
Member (237)   1   2   1 		03/31/2016 ( History)
0 votes
Florent Guillaume
It will mostly work but please be aware that there are a number of places where DocumentException is caught and ignored, so you'll get spurious logs. For instance CoreSession.getDocuments does this, or Nuxeo Drive. Maybe DefaultNuxeoExceptionHandler or a subclass, when calling ExceptionHelper.isSecurityError, would be a better location.
03/31/2016
Klyff Harlley
Sounds Good! I think ExceptionHelper.isSecurityError should work. My doubts is also having this Audit when user access through API/Rest/UI, so I;ve thought doing that on AbstractSession class.

Thanks Florent!!!

04/03/2016
Florent Guillaume
Note that if you modify Nuxeo code you're on your own for future upgrades, it's very likely that this area of the code will change in future releases.
03/31/2016
Follow
Tags
Linked Questions
Related Questions
Automation chain to log audit event to two documents
DAM and controling access to folders by groups
events in "log event in audit"
How to override the default security ACL to make it case-insensitive to the username ?
How can I execute a javascript function when clicking an action?
Document open event
Error after purging audit log
How to fetch history
Is it possible to reject document modification in a listener?