feat: Login/logout activity logging #40739
Open
+816
−474
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… during login/logout. Exclude impersonated login/logouts from being shown publicly.
![greptile-apps[bot]](https://cdn.statically.io/img/avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Comment on lines
752
to
776
| def apply_activity_visibility_restrictions(queryset: QuerySet, user: "User") -> QuerySet: | ||
| """ | ||
| Apply visibility restrictions to activity log queryset based on user permissions. | ||
| """ | ||
| exclusion_queries = [] | ||
| for scope, restrictions in activity_visibility_restrictions.items(): | ||
| if restrictions.get("requires_staff"): | ||
| activities = restrictions.get("activities", []) | ||
| exclude_conditions = restrictions.get("exclude_when", {}) | ||
|
|
||
| # Build the query: scope AND activity IN [...] AND exclude_conditions | ||
| query = Q(scope=scope) & Q(activity__in=activities) | ||
| for field, value in exclude_conditions.items(): | ||
| query &= Q(**{field: value}) | ||
|
|
||
| exclusion_queries.append(query) | ||
|
|
||
| # Apply all exclusions with OR logic | ||
| if exclusion_queries: | ||
| combined_exclusion = exclusion_queries[0] | ||
| for q in exclusion_queries[1:]: | ||
| combined_exclusion |= q | ||
| queryset = queryset.exclude(combined_exclusion) | ||
|
|
||
| return queryset |
There was a problem hiding this comment.
logic: never checks if user.is_staff is True before excluding the activities
the logic excludes impersonated logins/logouts for ALL users, not just non-staff users. staff users should see these activities but currently cannot
Suggested change
| def apply_activity_visibility_restrictions(queryset: QuerySet, user: "User") -> QuerySet: | |
| """ | |
| Apply visibility restrictions to activity log queryset based on user permissions. | |
| """ | |
| exclusion_queries = [] | |
| for scope, restrictions in activity_visibility_restrictions.items(): | |
| if restrictions.get("requires_staff"): | |
| activities = restrictions.get("activities", []) | |
| exclude_conditions = restrictions.get("exclude_when", {}) | |
| # Build the query: scope AND activity IN [...] AND exclude_conditions | |
| query = Q(scope=scope) & Q(activity__in=activities) | |
| for field, value in exclude_conditions.items(): | |
| query &= Q(**{field: value}) | |
| exclusion_queries.append(query) | |
| # Apply all exclusions with OR logic | |
| if exclusion_queries: | |
| combined_exclusion = exclusion_queries[0] | |
| for q in exclusion_queries[1:]: | |
| combined_exclusion |= q | |
| queryset = queryset.exclude(combined_exclusion) | |
| return queryset | |
| def apply_activity_visibility_restrictions(queryset: QuerySet, user: "User") -> QuerySet: | |
| """ | |
| Apply visibility restrictions to activity log queryset based on user permissions. | |
| """ | |
| exclusion_queries = [] | |
| for scope, restrictions in activity_visibility_restrictions.items(): | |
| if restrictions.get("requires_staff") and not user.is_staff: | |
| activities = restrictions.get("activities", []) | |
| exclude_conditions = restrictions.get("exclude_when", {}) | |
| # Build the query: scope AND activity IN [...] AND exclude_conditions | |
| query = Q(scope=scope) & Q(activity__in=activities) | |
| for field, value in exclude_conditions.items(): | |
| query &= Q(**{field: value}) | |
| exclusion_queries.append(query) | |
| # Apply all exclusions with OR logic | |
| if exclusion_queries: | |
| combined_exclusion = exclusion_queries[0] | |
| for q in exclusion_queries[1:]: | |
| combined_exclusion |= q | |
| queryset = queryset.exclude(combined_exclusion) | |
| return queryset |
Prompt To Fix With AI
This is a comment left during a code review.
Path: posthog/models/activity_logging/activity_log.py
Line: 752:776
Comment:
**logic:** never checks if `user.is_staff` is `True` before excluding the activities
the logic excludes impersonated logins/logouts for ALL users, not just non-staff users. staff users should see these activities but currently cannot
```suggestion
def apply_activity_visibility_restrictions(queryset: QuerySet, user: "User") -> QuerySet:
"""
Apply visibility restrictions to activity log queryset based on user permissions.
"""
exclusion_queries = []
for scope, restrictions in activity_visibility_restrictions.items():
if restrictions.get("requires_staff") and not user.is_staff:
activities = restrictions.get("activities", [])
exclude_conditions = restrictions.get("exclude_when", {})
# Build the query: scope AND activity IN [...] AND exclude_conditions
query = Q(scope=scope) & Q(activity__in=activities)
for field, value in exclude_conditions.items():
query &= Q(**{field: value})
exclusion_queries.append(query)
# Apply all exclusions with OR logic
if exclusion_queries:
combined_exclusion = exclusion_queries[0]
for q in exclusion_queries[1:]:
combined_exclusion |= q
queryset = queryset.exclude(combined_exclusion)
return queryset
```
How can I resolve this? If you propose a fix, please make it concise.| else: | ||
| login_method = "sso" | ||
| else: | ||
| if user.social_auth.exists(): |
There was a problem hiding this comment.
style: triggers a database query on every login even if social auth is not being used
consider checking session backend first before querying user.social_auth.exists()
Prompt To Fix With AI
This is a comment left during a code review.
Path: posthog/models/activity_logging/signal_handlers.py
Line: 124:124
Comment:
**style:** triggers a database query on every login even if social auth is not being used
consider checking session backend first before querying `user.social_auth.exists()`
How can I resolve this? If you propose a fix, please make it concise.
|
Size Change: 0 B Total Size: 3.34 MB ℹ️ View Unchanged
|
📸 UI snapshots have been updated2 snapshot changes in total. 0 added, 2 modified, 0 deleted:
Triggered by this commit. |
📸 UI snapshots have been updated2 snapshot changes in total. 0 added, 2 modified, 0 deleted:
Triggered by this commit. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add login/logout activity logging. Add proper impersonation detection during login/logout. Exclude impersonated login/logouts from being shown publicly.
Problem
Changes
Changelog: (features only) Is this feature complete?