adamsaghy commented on code in PR #5094:
URL: https://github.com/apache/fineract/pull/5094#discussion_r2432282651
##########
fineract-provider/src/main/java/org/apache/fineract/infrastructure/core/domain/AuditorAwareImpl.java:
##########
@@ -35,7 +35,7 @@ public Optional<Long> getCurrentAuditor() {
final SecurityContext securityContext =
SecurityContextHolder.getContext();
if (securityContext != null) {
final Authentication authentication =
securityContext.getAuthentication();
- if (authentication != null) {
+ if (authentication != null && authentication.getPrincipal()
instanceof AppUser) {
Review Comment:
At this point, I’m not even comfortable with the existing logic that falls
back to the superuser under any circumstances, but this might not be the right
moment to fix everything.
Back to the main issue: the (now deprecated) self-service module allows
anyone to perform operations during “self-registration,” and in those cases,
all audit entries are recorded under the superuser account.
In the future, if for any reason the authentication principal becomes
something other than an `AppUser`, Fineract would effectively use the “system”
user for all audit entries, which, in my view, is incorrect behaviour. I would
rather introduce a new AppUser (selfService) and that to be used for any of
these operations instead.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
