(allura) 01/03: improve some user audit logs

Thu, 28 Aug 2025 09:51:05 -0700 

This is an automated email from the ASF dual-hosted git repository.

brondsem pushed a commit to branch db/misc_aug2025
in repository https://gitbox.apache.org/repos/asf/allura.git

commit aa1bf54d02417f4d529db7fb8193a21d0e108ffb
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Thu Aug 28 12:49:54 2025 -0400

    improve some user audit logs
---
 Allura/allura/controllers/auth.py | 10 +++++++---
 Allura/allura/lib/plugin.py       |  4 +++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/Allura/allura/controllers/auth.py 
b/Allura/allura/controllers/auth.py
index 21e88bf90..759e07600 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -275,9 +275,13 @@ def password_recovery_hash(self, email=None, **kw):
             message = 'A password reset email has been sent, if the given 
email address is on record in our system.'
             email_record = M.EmailAddress.get(email=email, confirmed=True)
 
-        if user_record and email_record and email_record.confirmed:
-            user_record.send_password_reset_email(email_record.email)
-            h.auditlog_user('Password recovery link sent to: %s', 
email_record.email, user=user_record)
+        if user_record and email_record:
+            if email_record.confirmed:
+                user_record.send_password_reset_email(email_record.email)
+                h.auditlog_user('Password recovery link sent to: %s', 
email_record.email, user=user_record)
+            else:
+                h.auditlog_user('Password recovery link NOT sent to: %s 
because its unconfirmed', email_record.email, user=user_record)
+
         elif is_site_admin(c.user):
             # this can be accessed via a site admin page, and sometimes email 
records are inconsistent
             # only site admins may be told if accounts exist or not
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index 0ee13d737..15b6bd616 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -226,7 +226,9 @@ def login(self, user: M.User = None, multifactor_success: 
bool = False) -> M.Use
         # they'll get an authentication code via email
         skip_after_login = False
         if asbool(config.get('auth.email_auth_code.enabled', False)) and not 
user.get_pref('multifactor') and not self.trusted_login_source(user, 
login_details) and not multifactor_success:
-            h.auditlog_user('User without MFA attempted to login from 
untrusted location', user=user)
+            h.auditlog_user('User without MFA attempted to login from 
untrusted location, '
+                            'sending code via email for them to enter',
+                            user=user)
             self.session['multifactor-username'] = user.username
             self.session['mode'] = 'email_code'
             self.session.save()

Reply via email to