Log all authorization attempts?

[nathanl]

I got a question via Twitter and thought it would be best to make it a discussion here:

any recommendations for logging all authorization attempts via authority?

[nathanl]

Logging all authorization attempts would currently require modifying Authority, either as a monkey patch or a PR.

Here's how logging is currently done.

First, Authority.enforce raises an exception if an attempted action is unauthorized.

Then this code rescues the exception and calls your configured security_violation_handler.

By default, that's the :authority_forbidden method, which logs the violation and renders a 403.

So to log all attempts at authorization, successful or not, would require modifying Authority.enforce to have it log any attempted access. Eg, it could do Authority.logger.info("#{user} is attempting to #{action} #{resource} with options #{options}". It could still leave it to the exception handler to make a second warn log entry if the action is unauthorized.

That's not a hard change, but I don't know if any users would object to having those extra log messages. We could configure whether to log in that case, but more options == more complexity.

[forced-request]

Thanks @nathanl. I think it's good to have the option. This allows developers to better audit user actions. I would probably have this disabled by default, and be enabled via the rollbar initializer.

[nathanl]

@forced-request I can see why you'd want to be able to log everything. Interested in making a PR?

[forced-request]

I should be able to make that happen. I'll get back to you soon.

[nathanl]

Fixed in #119