Skip to content

[Improvement-17933][api] Restrict audit logs to current user for non-admin users#18368

Merged
SbloodyS merged 1 commit into
apache:devfrom
qiuyanjun888:Improvement-17933
Jul 1, 2026
Merged

[Improvement-17933][api] Restrict audit logs to current user for non-admin users#18368
SbloodyS merged 1 commit into
apache:devfrom
qiuyanjun888:Improvement-17933

Conversation

@qiuyanjun888

Copy link
Copy Markdown
Contributor

Was this PR generated or assisted by AI?

YES. The patch and tests were assisted by AI and reviewed locally.

Purpose of the pull request

Fix #17933. Restrict global audit log queries so non-admin users can only view their own audit logs, while administrators keep the full audit view.

Brief change log

  • Pass login user context from AuditLogController to AuditService.
  • Add an optional userId filter to AuditLogMapper.queryAuditLog.
  • Apply userId filtering for non-admin users and keep admin queries global.
  • Add/adjust unit tests for service behavior and mapper userId filtering.

Verify this pull request

This change added tests and can be verified as follows:

  • ./mvnw verify -B -pl "dolphinscheduler-dao,dolphinscheduler-api" -Dmaven.test.skip=false -Dspotless.skip=true -DskipUT=false -Danalyze.skip=true -Djacoco.skip=true -Dsurefire.printSummary=true -Dsurefire.useFile=false -Dsurefire.reportFormat=plain -Dsurefire.redirectTestOutputToFile=false -Dsurefire.failIfNoSpecifiedTests=false -Dtest='AuditServiceTest'
  • ./mvnw verify -B -pl "dolphinscheduler-dao" -Dmaven.test.skip=false -Dspotless.skip=true -DskipUT=false -Danalyze.skip=true -Djacoco.skip=true -Dsurefire.printSummary=true -Dsurefire.useFile=false -Dsurefire.reportFormat=plain -Dsurefire.redirectTestOutputToFile=false -Dsurefire.failIfNoSpecifiedTests=false -Dtest='AuditLogMapperTest'
  • ./mvnw spotless:check -B -pl "dolphinscheduler-dao,dolphinscheduler-api"

Pull Request Notice

Pull Request Notice

@SbloodyS

Copy link
Copy Markdown
Member

cc @ruanwenjun

Pass the login user context into audit log queries and restrict non-admin users to their own audit log records while preserving the global audit view for administrators.

@ruanwenjun ruanwenjun left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ruanwenjun ruanwenjun added this to the 3.5.0 milestone Jun 30, 2026

@SbloodyS SbloodyS left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@SbloodyS SbloodyS added the improvement make more easy to user or prompt friendly label Jul 1, 2026
@SbloodyS SbloodyS merged commit 17ce569 into apache:dev Jul 1, 2026
118 of 122 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend improvement make more easy to user or prompt friendly ready-to-merge test

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Improvement] Restrict access to global audit logs

3 participants