Expand activity logs

[MaciekBaron]

What is the context of this PR?

This PR addresses ticket CMS 906 and expands the activity logs to cover more actions and content types.

Note that this change introduces a new dependency, namely django-crum, in order to expose user details when using signals.

How to review

Perform one of the following actions and confirm that the activity was logged in site history:

• Edit a bundle
• Add a page to a bundle
• Remove a page from a bundle
• Add a team to a bundle
• Remove a team from a bundle
• Change bundle schedule
• Add a dataset
• Remove a dataset
• Add/edit/remove an image
• Add/edit/update a document
• Download a CSV from a preview

Follow-up Actions

Confirm that using the django-crum module is allowed for the project.

[MebinAbraham]

Just a quick note, while I do a quick pass, as you called out in stand-up, I will come back to this. Personally, I'm not a fan of this, especially using thread locals for such behaviour, and the fact that it hasn't been maintained for over six years. I think we should revisit the approach. What options have been considered?.

[MaciekBaron]

Currently, images and documents do create log entries, but only in specific scenarios - specifically, when using the non-multi version of the forms.

This means that the form at /admin/images/multiple/add/ does not create a log entry when adding an image. Meanwhile, /admin/images/add/ will (albeit you can only upload one image there). The default form you are taken to is the multi one.

Likewise if you mass delete images, that won't trigger the deletion log entries. It will however create the entries if you delete one image using the delete dropdown option.

I have removed django-crud for now and added tests to show the existing behaviour in: 58c6bb1

I have consulted this with the Wagtail team and they seem to believe that the fact that the log entries are created in the first place is because of a refactor done in 2014, following the work done on wagtail/wagtail#7550 and performing a full audit log of all image/document actions wasn't part of a feature plan.

We have several things we could do here:

• Drop django-crud and instead write our own thread-local approach which we maintain (shouldn't be too complicated code-wide)
• Raise an issue in the Wagtail repo to look into implementing full logging for images and documents, so that we don't just have a partial implementation
• Force users to go through a single image upload form, and disable mass deletion of images via the admin panel

[MebinAbraham]

Have you considered https://docs.python.org/3/library/contextvars.html? I'm not sure if threading.local is safe or future-proof for us; we might use a non-sync worker in the future or have async calls. Flask, which under the hood uses Werkzeug, moved away from threading.local to ContextVar also. However, even with both options, there could be gaps where we use thread pools.

[MebinAbraham]

As discussed, if we have no other strong reason to add support for it apart from the multi-image/document upload path, we can consider disabling that functionality and revisit it in the future.

[MebinAbraham]

Have done an initial pass (not checked all events we need to log yet), and overall it looks good.

One key gap is the need for a ChooserView mixin or similar mechanism. We should ensure that any chooser displaying sensitive information elsewhere in the system is logged. While I don't have a comprehensive list immediately available, some areas that require attention include:

• Logging chooser activity for headline figures. For example, when headline figures are listed in a chooser on a Topic page, we should log an action since users are viewing unpublished values.
• Listing of images or documents, since their titles may contain sensitive information.

We should also review other choosers to identify any additional instances where sensitive information may be exposed and ensure appropriate auditing is in place.

[MebinAbraham]

We don't want to log anything that may contain sensitive info.

[MebinAbraham]

I need to check whether we need to log the request along with the same event log.

[MebinAbraham]

One for discussion.
This makes things somewhat nice, but the site history record has a record for each page (and other parts of bundle). Ideally, it would be easier to have a single record for such an event. It also makes tracing this via logs much simpler.

I would like us to consider either:

• One log action for each change, such as one for the team, one for the page, etc.
• One log action per bundle save (essentially a diff of bundles) - easier for tracing via logs.

Any specific reason for the current approach (other than formatting issue in site history view?). Let's discuss before potentially making any changes.

[MebinAbraham]

This is already the event, so this is essentially a duplicate. Any reason this was done?

"event": "bundles.page_added", "data": {"event": "bundles.page_added"

[MaciekBaron]

This was so that the message and the data both contain the action, for JSON parsing. As this was literally the same (as you rightly pointed out), I have changed that in this commit, but happy to remove it from the data if we feel it is redundant: b712391

[MebinAbraham]

Title here would have been fine as only approved persons have access to audit events in the CMS, it was just in sys logs, we can't emit these. I guess we pass it in data, which is used here, but also in the log output, unless we had a mechanism to pass sensitive content to be used by here and not used by audit_logger.info. Thoughts?

[MaciekBaron]

@MebinAbraham logging of viewed headline figures in choosers added here: 081b796