Audit log when Document access is forbidden (User Cannot Read the Document)

How to create a Audit Log (or even a History line of Document) in Nuxeo when a User that don't have permission to read the , but try to access with a permalink?

That are some way to do by extension point?

I know is possible to do by listening events on document. (

But dont exists any event like “no_access_granted_for_document” or some other way to do?

-I think the Access Check (hasPermission) happens before the Audit be available for. I'm wrong?

0 votes

3 answers



You're right, there's no event sent when permissions checks failed and access to a document is denied. So what you're trying to do is not currently possible without changing some code inside Nuxeo.

1 votes

Yes, I know that.

Thank you very much Florent!

0 votes

Hi Florent.

Yes, I thought about it. So, I'll try doing it inside (hasPermission methods), for having the event fired and a simple contrib to handle that event. It's be a good way? What do you think?


0 votes

It will mostly work but please be aware that there are a number of places where DocumentException is caught and ignored, so you'll get spurious logs. For instance CoreSession.getDocuments does this, or Nuxeo Drive. Maybe DefaultNuxeoExceptionHandler or a subclass, when calling ExceptionHelper.isSecurityError, would be a better location.

Sounds Good! I think ExceptionHelper.isSecurityError should work. My doubts is also having this Audit when user access through API/Rest/UI, so I;ve thought doing that on AbstractSession class.

Thanks Florent!!!


Note that if you modify Nuxeo code you're on your own for future upgrades, it's very likely that this area of the code will change in future releases.