Audit log when Document access is forbidden (User Cannot Read the Document)

How to create a Audit Log (or even a History line of Document) in Nuxeo when a User that don't have permission to read the , but try to access with a permalink?

That are some way to do by extension point?

I know is possible to do by listening events on document. (https://doc.nuxeo.com/display/NXDOC/Audit#Audit-Event)

But dont exists any event like “no_access_granted_for_document” or some other way to do?

-I think the Access Check (hasPermission) happens before the Audit be available for. I'm wrong?

0 votes

3 answers

1003 views

ANSWER



You're right, there's no event sent when permissions checks failed and access to a document is denied. So what you're trying to do is not currently possible without changing some code inside Nuxeo.

1 votes



Yes, I know that.

Thank you very much Florent!

0 votes



Hi Florent.

Yes, I thought about it. So, I'll try doing it inside AbstractSession.java (hasPermission methods), for having the event fired and a simple contrib to handle that event. It's be a good way? What do you think?

Thanks!

0 votes



It will mostly work but please be aware that there are a number of places where DocumentException is caught and ignored, so you'll get spurious logs. For instance CoreSession.getDocuments does this, or Nuxeo Drive. Maybe DefaultNuxeoExceptionHandler or a subclass, when calling ExceptionHelper.isSecurityError, would be a better location.
03/31/2016

Sounds Good! I think ExceptionHelper.isSecurityError should work. My doubts is also having this Audit when user access through API/Rest/UI, so I;ve thought doing that on AbstractSession class.

Thanks Florent!!!

04/03/2016

Note that if you modify Nuxeo code you're on your own for future upgrades, it's very likely that this area of the code will change in future releases.
03/31/2016