In server audit log, revoking public link shows up as a delete in session action

[yanokwa]

In Central v1.1.2's server audit logs, when I remove a public access link, it shows up as a delete in the session actions.

I can understand why this is the case, but it's not user friendly.

[issa-tseng]

duplicated of getodk/central-backend#274 (comment)
and addressed in v1.2

[matthew-white]

v1.2 will start logging public_link.delete when a public link is truly deleted using the API, but I believe that revoking a public link will still entail deleting its session, which will only log session.end. I actually think that's reasonable, because the only resource that the revoke request directly changes is the Session.

In general, I think the model that's presented in Frontend closely matches Backend, but Frontend does simplify some details, including the existence of some Sessions. In some ways, the audit log more closely reflects what's actually happening as Frontend communicates with Backend over the API. I think that has the potential to lead to confusion, but I also think there are benefits to clearly presenting what's happening.

I also don't think that this question is entirely unique to session.end. For example, if you give an app user access to a form, that will log an assignment.create, but that action won't show up under App User Actions in the audit log filter. I actually just made a related comment about assignment.create and assignment.delete in which I basically suggest adding assignments to the audit log filter as their own resource, since that's how Backend thinks about them and is how the audit log API returns them to Frontend. I think that has the potential for confusion, but I again think there's some benefit to clearly presenting what Backend thinks is happening.

On the other hand, if there are wording changes we can make, I think those are quite cheap. Like maybe it should be Session > Revoke instead of Session > Delete?