System: Access - bring back audit messages (similar to the ones implemented for legacy in cfb84fe8e9, closes https://github.com/opnsense/core/issues/8409

2026-03-13 00:07:27 +00:00 · 2025-03-06 18:48:32 +01:00 · 2025-03-06 18:48:32 +01:00 · b7ed45db20
commit b7ed45db20
parent 3bf818348c
4 changed files with 32 additions and 5 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Auth/Api/GroupController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Auth/Api/GroupController.php
@ -66,9 +66,10 @@ class GroupController extends ApiMutableModelControllerBase

    public function addAction()
    {
+        $data = $this->request->getPost(static::$internalModelName);
+        $this->setSaveAuditMessage(sprintf('group \"%s\" created"', $data['name']));
        $result = $this->addBase('group', 'group');
        if ($result['result'] != 'failed') {
-            $data = $this->request->getPost(static::$internalModelName);
            (new Backend())->configdpRun('auth sync group', [$data['name']]);
        }
        return $result;
@ -76,9 +77,10 @@ class GroupController extends ApiMutableModelControllerBase

    public function setAction($uuid = null)
    {
+        $data = $this->request->getPost(static::$internalModelName);
+        $this->setSaveAuditMessage(sprintf('group \"%s\" changed"', $data['name']));
        $result = $this->setBase('group', 'group', $uuid);
        if ($result['result'] != 'failed') {
-            $data = $this->request->getPost(static::$internalModelName);
            if (!empty($data['name'])) {
                (new Backend())->configdpRun('auth sync group', [$data['name']]);
            }
@ -99,6 +101,7 @@ class GroupController extends ApiMutableModelControllerBase
                $groupname = (string)$node->name;
            }
        }
+        $this->setSaveAuditMessage(sprintf('The group "%s" was successfully removed.', $groupname));
        $result = $this->delBase('group', $uuid);
        if ($groupname != null) {
            (new Backend())->configdpRun('auth sync group', [$groupname]);
--- a/src/opnsense/mvc/app/controllers/OPNsense/Auth/Api/UserController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Auth/Api/UserController.php
@ -197,9 +197,10 @@ class UserController extends ApiMutableModelControllerBase

    public function addAction()
    {
+        $data = $this->request->getPost(static::$internalModelName);
+        $this->setSaveAuditMessage(sprintf('user \"%s\" created"', $data['name']));
        $result = $this->addBase('user', 'user');
        if ($result['result'] != 'failed') {
-            $data = $this->request->getPost(static::$internalModelName);
            if (!empty($data['name'])) {
                (new Backend())->configdpRun('auth sync user', [$data['name']]);
            }
@ -209,9 +210,10 @@ class UserController extends ApiMutableModelControllerBase

    public function setAction($uuid = null)
    {
+        $data = $this->request->getPost(static::$internalModelName);
+        $this->setSaveAuditMessage(sprintf('user \"%s\" changed"', $data['name']));
        $result = $this->setBase('user', 'user', $uuid);
        if ($result['result'] != 'failed') {
-            $data = $this->request->getPost(static::$internalModelName);
            if (!empty($data['name'])) {
                (new Backend())->configdpRun('auth sync user', [$data['name']]);
            }
@ -240,6 +242,7 @@ class UserController extends ApiMutableModelControllerBase
                $username = (string)$node->name;
            }
        }
+        $this->setSaveAuditMessage(sprintf('The user "%s" was successfully removed.', $username));
        $result = $this->delBase('user', $uuid);
        if ($username != null) {
            (new Backend())->configdpRun('auth sync user', [$username]);
--- a/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php
@ -58,11 +58,25 @@ abstract class ApiMutableModelControllerBase extends ApiControllerBase
     */
    protected static $internalModelUseSafeDelete = false;

+    /**
+     * Message to append to configuration change event
+     */
+    protected $internalAuditMessage = null;
+
+
    /**
     * @var null|BaseModel model object to work on
     */
    private $modelHandle = null;

+    /**
+     * Message to use on save of this model
+     */
+    protected function setSaveAuditMessage($msg)
+    {
+        $this->internalAuditMessage = $msg;
+    }
+
    /**
     * Validate on initialization
     * @throws \Exception when not bound to a model class or a set/get reference is missing
@ -304,7 +318,12 @@ abstract class ApiMutableModelControllerBase extends ApiControllerBase
    {
        if (!(new ACL())->hasPrivilege($this->getUserName(), 'user-config-readonly')) {
            if ($this->getModel()->serializeToConfig($validateFullModel, $disable_validation)) {
-                Config::getInstance()->save();
+                if ($this->internalAuditMessage) {
+                    Config::getInstance()->save(['description' => $this->internalAuditMessage]);
+                } else {
+                    /* default "endpoint made changes" message */
+                    Config::getInstance()->save();
+                }
            }
            return array("result" => "saved");
        } else {
--- a/src/opnsense/mvc/app/library/OPNsense/Core/Config.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Core/Config.php
@ -515,6 +515,8 @@ class Config extends Singleton
        /* If revision info is not provided, create one. $revision is used for recursion */
        if (!is_array($revision)) {
            $revision = $this->getRevisionContext();
+        } else {
+            $revision = array_merge($this->getRevisionContext(), $revision);
        }
        if ($node == null) {
            if (!isset($this->simplexml->revision)) {