Allow AuditEventHelper to print custom_messages

* Add special case for :custom_message * Sanitize audit event's actions

Allow AuditEventHelper to print custom_messages
* Add special case for :custom_message * Sanitize audit event's actions
a861b699 · Vladimir Shushlin · 270b54e9 · a861b699 · a861b699 · a861b699
Commit a861b699 authored Feb 27, 2019 by Vladimir Shushlin
7 changed files
--- a/ee/app/helpers/audit_events_helper.rb
+++ b/ee/app/helpers/audit_events_helper.rb
@@ -2,6 +2,9 @@
 module AuditEventsHelper
  def human_text(details)
+    # replace '_' with " " to achive identical behavior with Audit::Details
+    return details[:custom_message].tr('_', ' ') if details[:custom_message]
    details.map { |key, value| select_keys(key, value) }.join(" ").humanize
  end

--- a/ee/app/views/admin/audit_logs/index.html.haml
+++ b/ee/app/views/admin/audit_logs/index.html.haml
@@ -49,7 +49,7 @@
                = object_link
              - else
                #{event.details[:entity_path]} <small>(removed)</small>
-            %td= event.action
+            %td= sanitize(event.action, tags: %w(strong))
            %td= event.target
            %td= event.ip_address
            %td= event.date

--- a/ee/app/views/shared/audit_events/_event_table.html.haml
+++ b/ee/app/views/shared/audit_events/_event_table.html.haml
@@ -16,7 +16,7 @@
            - else
              (removed)
          %td
-            %span= raw human_text(event.details)
+            %span= sanitize(human_text(event.details), tags: %w(strong))
          %td= event.details[:target_details]
          %td= event.created_at
  = paginate events, theme: "gitlab"
--- a/ee/spec/features/admin/admin_audit_logs_spec.rb
+++ b/ee/spec/features/admin/admin_audit_logs_spec.rb
@@ -83,9 +83,10 @@ describe 'Admin::AuditLogs', :js do
    describe 'project events' do
      let(:project_member) { create(:project_member, user: user) }
+      let(:project) { project_member.project }
      before do
-        AuditEventService.new(user, project_member.project, { action: :destroy })
+        AuditEventService.new(user, project, { action: :destroy })
          .for_member(project_member).security_event
        visit admin_audit_logs_path
@@ -102,6 +103,10 @@ describe 'Admin::AuditLogs', :js do
        expect(page).to have_content('Removed user access')
      end
+      it_behaves_like 'audit event contains custom message' do
+        let(:audit_events_url) { admin_audit_logs_path }
+      end
    end
  end

--- a/ee/spec/features/projects/audit_events_spec.rb
+++ b/ee/spec/features/projects/audit_events_spec.rb
@@ -114,4 +114,8 @@ describe 'Projects > Audit Events', :js do
      end
    end
  end
+  it_behaves_like 'audit event contains custom message' do
+    let(:audit_events_url) { project_audit_events_path(project) }
+  end
 end
--- a/ee/spec/helpers/audit_events_helper_spec.rb
+++ b/ee/spec/helpers/audit_events_helper_spec.rb
@@ -4,7 +4,6 @@ describe AuditEventsHelper do
  describe '#human_text' do
    let(:details) do
      {
-        remove: 'user_access',
        author_name: 'John Doe',
        target_id: 1,
        target_type: 'User',
@@ -12,8 +11,32 @@ describe AuditEventsHelper do
      }
    end
+    subject { human_text(details) }
+    context 'when message consist of hash keys' do
+      subject { human_text({ remove: 'user_access' }.merge(details))}
      it 'ignores keys that start with start with author_, or target_' do
-      expect(human_text(details)).to eq 'Remove <strong>user access</strong>    '
+        expect(subject).to eq 'Remove <strong>user access</strong>    '
+      end
+    end
+    context 'when details contain custom message' do
+      let(:custom_message) { 'Custom message <strong>with tags</strong>' }
+      subject { human_text( { custom_message: custom_message }.merge(details)) }
+      it 'returns custom message' do
+        expect(subject).to eq(custom_message)
+      end
+      context 'when custom message contains "_"' do
+        let(:custom_message) { "message_with_spaces" }
+        it 'replace them with spaces' do
+          expect(subject).to eq("message with spaces")
+        end
+      end
    end
  end

--- a/ee/spec/support/shared_examples/features/audit_event_contains_custom_message.rb
+++ b/ee/spec/support/shared_examples/features/audit_event_contains_custom_message.rb
+# frozen_string_literal: true
+shared_examples 'audit event contains custom message' do
+  let(:custom_message) { "Message_with_spaces" }
+  let(:details) do
+    {
+      custom_message: custom_message,
+      author_name: 'John Doe',
+      target_id: 1,
+      target_type: 'User',
+      target_details: 'Michael'
+    }
+  end
+  let!(:security_event) do
+    ::AuditEventService.new(user, project, details).security_event
+  end
+  before do
+    visit audit_events_url
+  end
+  it 'user sess this message' do
+    expect(page).to have_content('Message with spaces')
+  end
+  context 'when it contains tags' do
+    let(:custom_message) { 'Message <strong>with</strong> <i>deleted</i> tags' }
+    it 'allows only <strong> tag' do
+      message_row = find('td', text: 'Message with deleted tags')
+      expect(message_row).to have_selector('strong')
+      expect(message_row).to have_no_selector('i')
+    end
+  end
+end