Automatic Logging doesn't log the Actor #115
Comments
|
I would make your request add add if hasattr(request, 'user') and hasattr(request.user, 'is_authenticated') and request.user.is_authenticated():
set_actor = curry(self.set_actor, user=request.user, signal_duid=threadlocal.auditlog['signal_duid'])
pre_save.connect(set_actor, sender=LogEntry, dispatch_uid=threadlocal.auditlog['signal_duid'], weak=False)Those lines of code in the This could be an issue with your Django version, I believe |
|
@audiolion Edit: |
|
I'm having this same issue when using this package with the Django REST Framework and Django-REST-JWT. See below for settings.py: Screenshot of my Admin dashboard. The user for all Log Entry objects is displayed as 'system'
|
|
see my comment to help debug |
|
@audiolion Thank you for the prompt response, however I'm not sure how to leverage this to fix the issue. From the Django documentation (I'm running 1.10.5), it seems that is_authenticated is still included... |
|
@audiolion see below for debugging results. Seems to be something else that is causing the actor to be saved as system. -> if hasattr(request, 'user') and hasattr(request.user, 'is_authenticated') and request.user.is_authenticated(): |
|
what is the username of request.user? |
|
The username is my username (kdenny): -> if hasattr(request, 'user') and hasattr(request.user, 'is_authenticated') and request.user.is_authenticated(): |
|
Very strange, it seems like all the stuff to set the actor is happening correctly, I am not sure why it is not being saved. My only advice is to step through the code with the debugger to see where things are going wrong. 😢 |
|
Closing due to inactivity |
|
I'm having the same problem in Django 1.11, using DRF and TokenAuthentication. If i modify an object from the admin then I see the user correctly, but if i modify it from an update api call it says just "system" for all the users. |
|
ok ill reopen to investigate |
|
Hi @audiolion, I've debugged it and I found that I was getting an AnonymusUser in the middleware. I was researching about it and it's something related to DRF. When TokenAuthentication is used, the user is set in views or viewsets, so we can't get the user in the middleware. So I've ended uninstalling django-auditlog and implementing two mixins to use in my views Thanks |
|
thanks for the investigating @marianobrc I wouldn't be opposed to adding some helper utilities to this library and some docs for integrating with DRF, but it does seem a little out of scope. The other option is add a note with this code in the documentation. I am surprised that DRF doesn't set the user in the middleware piece, this isn't just a matter of putting the auditlog middleware after the DRF middleware is it? |
|
DRF how to log the ractor? I have the same problem. |
|
I also had a related issue setting actor using rest_framework_jwt.authentication (was showing "system") , we solved it with custom middleware and now auditlog has the correct actor. |
|
verificient@3650226 - possible solution |
|
@PeterBeklemishev if you want to send a PR this way I will review 👍 |
|
For anyone stuck in this, you can create a custom middleware to populate the request.user in a middleware before running the auditlog middleware. https://crondev.wordpress.com/2018/05/13/django-middlewares-with-rest-framework/ |
|
Any progress on this? @PeterBeklemishev, do you intend to submit a pull request with your solution? |
|
Does anybody has any solution here yet? @PeterBeklemishev, can you create a pull request with your fix? |
|
I have solution |
|
Having the exact issue. @ivan-fedorov-probegin tried your solution but it still doesn't work and saves
|
|
Hello everyone! I had the same issue when trying to integrate I have been digging into the source code of both projects to understand the reason the
I've created a glue code which works as integration between both projects. The approach I took is to use Integration mixin# mixins.py
from django.db.models.signals import pre_save
from django.utils.functional import curry
from auditlog.compat import is_authenticated
from auditlog.middleware import threadlocal, AuditlogMiddleware
from auditlog.models import LogEntry
class DRFDjangoAuditModelMixin:
"""
Mixin to integrate django-auditlog with Django Rest Framework.
This is needed because DRF does not perform the authentication at middleware layer
instead it performs the authentication at View layer.
This mixin adds behavior to connect/disconnect the signals needed by django-auditlog to auto
log changes on models.
It assumes that AuditlogMiddleware is activated in settings.MIDDLEWARE_CLASSES
"""
def should_connect_signals(self, request):
"""Determines if the signals should be connected for the incoming request."""
# By default only makes sense to audit when the user is authenticated
return is_authenticated(request.user)
def initial(self, request, *args, **kwargs):
"""Overwritten to use django-auditlog if needed."""
super().initial(request, *args, **kwargs)
if self.should_connect_signals(request):
set_actor = curry(AuditlogMiddleware.set_actor, user=request.user,
signal_duid=threadlocal.auditlog['signal_duid'])
pre_save.connect(set_actor, sender=LogEntry,
dispatch_uid=threadlocal.auditlog['signal_duid'], weak=False)
def finalize_response(self, request, response, *args, **kwargs):
"""Overwritten to cleanup django-auditlog if needed."""
response = super().finalize_response(request, response, *args, **kwargs)
if hasattr(threadlocal, 'auditlog'):
pre_save.disconnect(sender=LogEntry, dispatch_uid=threadlocal.auditlog['signal_duid'])
return responseMinimal usage example# views.py
from rest_framework import viewsets
from some_app.mixins import DRFDjangoAuditModelMixin
from some_app import models, serializers
class SomeModelViewSet(DRFDjangoAuditModelMixin, viewsets.ReadOnlyModelViewSet):
queryset = models.MyModel.objects.all()
serializer_class = serializers.MyModelSerializerI would like to hear feedback from the projects! Thanks in advance! |
|
for oauth2_provider i fix issue wit create middleware : from django.utils.functional import SimpleLazyObject
from django.contrib.auth import get_user
from rest_framework.response import Response
from oauth2_provider.models import AccessToken
from django.contrib.auth.models import User
class RestOauthMiddleware:
def __init__(self, get_response):
self.get_response = get_response
@staticmethod
def get_user(request):
user = get_user(request)
if user.is_authenticated:
return user
try:
Token = AccessToken.objects.get(
token=request.headers['Authorization'].split()[1])
user = User.objects.get(pk=Token.user_id)
except:
pass
return user
def __call__(self, request):
request.user = SimpleLazyObject(
lambda: self.__class__.get_user(request))
response = self.get_response(request)
return responseand add middleware in setting file above of auditlog middleware. |
|
Hi, just wanted to know if there's any update regarding this? Any plans to implement some of the solutions? btw amazing work! |
|
I was a lot of time checking all these things, but nothing work for me , I was making a research about DRF and middleware, how it work and found the problem , nothing is wrong with DRF or with django-auditlog. The problem is from the middleware you can't get the request.user when the request come from a view like is the case with DRF APIviews, and how we are registering the log in the models you will not get the user according to the token in this moment.
class AnyModel(models.Model): auditlog.register(AnyModel)
class MyApiview(APIView): @staticmethod I know this is not the best solution but work for DRF and django-auditlog lib, remember this lib (django-auditlog) is not for DRF , it is for django, it will log everything if you use django admin or web, but not DRF my middleware: from django.utils.functional import SimpleLazyObject class RestOauthMiddleware(object): THIS WORK FOR ME , AND I CAN NOW REGISTER THE ACTOR FROM MY APIs views |
This is the most elegant solution with but it is broken with the new update with the removal of process_request method. Is there any way to accomplish this on the middleware level, without subclassing every viewset? |
|
@senbonsakura unfortunately, i didn't check the new update Right now i am depending an older commit |
|
@hassaanalansary @senbonsakura |
|
On line of what @ALgracnar did, the solution I could find for DRF and auditlog 2.1.0 was: import time
import threading
from django.contrib.auth import get_user_model
threadlocal = threading.local()
def set_log_entry_actor(user, sender, instance, signal_duid, **kwargs):
"""Signal receiver with extra 'user' and 'signal_duid' kwargs.
This function becomes a valid signal receiver when it is curried with the actor and a dispatch id.
This is a copy of AuditlogMiddleware.context._set_actor.
"""
try:
auditlog = threadlocal.auditlog
except AttributeError:
pass
else:
if signal_duid != auditlog["signal_duid"]:
return
auth_user_model = get_user_model()
if (
sender == LogEntry
and isinstance(user, auth_user_model)
and instance.actor is None
):
instance.actor = user
instance.remote_addr = auditlog["remote_addr"]
def get_remote_addr(request: Request) -> Optional[str]:
"""Return the remote address of the request."""
if forwarded_for := request.META.get("HTTP_X_FORWARDED_FOR"):
# In case of proxy, set 'original' address
return forwarded_for.split(",")[0]
return request.META.get("REMOTE_ADDR")
class DRFDjangoAuditModelMixin:
"""
Mixin to integrate django-auditlog with Django Rest Framework.
This is needed because DRF does not perform the authentication at middleware layer
instead it performs the authentication at View layer.
This mixin adds behavior to connect/disconnect the signals needed by django-auditlog to auto
log changes on models.
It assumes that AuditlogMiddleware is activated in settings.MIDDLEWARE_CLASSES
"""
def should_connect_signals(self, request) -> bool:
"""Determines if the signals should be connected for the incoming request."""
# By default only makes sense to audit when the user is authenticated
return hasattr(request.user, "email") and bool(request.user.email)
def initial(self, request, *args, **kwargs):
"""Overwritten to use django-auditlog if needed."""
super().initial(request, *args, **kwargs)
if self.should_connect_signals(request):
threadlocal.auditlog = {
"signal_duid": ("set_actor", time.time()),
"remote_addr": get_remote_addr(request),
}
set_actor = partial(
set_log_entry_actor,
user=request.user,
signal_duid=threadlocal.auditlog["signal_duid"],
)
pre_save.connect(
set_actor,
sender=LogEntry,
dispatch_uid=threadlocal.auditlog["signal_duid"],
weak=False,
)
def finalize_response(self, request, response, *args, **kwargs):
"""Overwritten to cleanup django-auditlog if needed."""
response = super().finalize_response(
request,
response,
*args,
**kwargs,
)
if hasattr(threadlocal, "auditlog"):
pre_save.disconnect(
sender=LogEntry,
dispatch_uid=threadlocal.auditlog["signal_duid"],
)
return response |
|
@alexsavio: I've tried your solution with auditlog 2.1.0, but it complains about missing LogEntry, Request and Optional, threadlocal missing auditlog, etc. Would you mind to tell which Django and maybe Python version you've tested this against? Are there any plans/forks that solve this issue? |
|
@normic we are using Django 4.0.7 and Python 3.10 and djangorestframework 3.13.1. I hope this helps |
|
@normic I managed to get @alexsavio solution working.
|
|
@malderete @ALgracnar @alexsavio Thank you. I added missing imports. It works for me |
|
@hassaanalansary 's Idea can be modified in newer versions with the introduced -> |
This way works for me and it is very simple. It should be noted that if you are using the RTF, SessionAuthentication should be loaded after JWTAuthentication. Otherwise csrf error will happen. My setting is like this: |
|
In my case I solved this by modifying the from auditlog.context import set_actor
from auditlog.middleware import AuditlogMiddleware as _AuditlogMiddleware
from django.utils.functional import SimpleLazyObject
class AuditlogMiddleware(_AuditlogMiddleware):
def __call__(self, request):
remote_addr = self._get_remote_addr(request)
user = SimpleLazyObject(lambda: getattr(request, "user", None))
context = set_actor(actor=user, remote_addr=remote_addr)
with context:
return self.get_response(request)And then use this custom middleware in |
I tried your solution. it work for me. |
|
I tried it as well - also worked for me. |
Just adding my experience here, I ended up going with @mcanu's solution. It's working in production for me with @alexsavio's solution also worked for me after adding imports like @quincykwende , however the custom middleware was my final go-to. I'd also want to mention that for the mixin-based solution, it might be worth changing the Here's how I would change it if you plan to go this route: |
@mcanu I tried your solution. It works flawlessly. I wonder what's stopping people from including this solution directly in audit log middleware. |
|
In my case when i am using your code my user variable is printing AnonymousUser which again lead to the same problem showing system value of actor field @magdumsuraj07 |
|
The problem is the INSTALLED_APPS's order, you just need to put auditlog app above djangorestframework app on settings.py file and @mcanu middleware, that's it. Hope this helps! |
|
Putting 'auditlog.middleware.AuditlogMiddleware', as the last item in MIDDLEWARE in settings.py solved the issue for me. |
@mcanu This is working for me. Thank you for solution. |
|
Works well for me too, with auditlog 2.5.0 and Django 5.02. I am not clear if this is fixed in the upcoming release 3, per comment here #613 @hramezani ? |
I need someone to check it on |
|
@hramezani Not working auditlog 3.0.0 and django 4.2.13. |
|
@jforsman Yes, this is not working. I am still waiting for a PR that fixes the problem in |
|
I don't actually think that there should be anything done to auditlog as it is DRF design decision (faulty one in my opinion) to do the authentication at view level so it should be somehow fixed there. I think I am gonna go with the custom DRF authentication classes. |
|
Well, don't think there will be any fixes to anywhere soon, this DRF bug encode/django-rest-framework#760 (yes an old one but still valid) states in the last comment that you should write separate authentication middlewares. That was my approach in the end. |
IT worked for me also, Thank you so much @mcanu |
and others
I have installed the plugin and on an Django Rest Framework instance.
All the logging is working as expected, except the Logging of the Actor.
I added the Middleware as Described in the Docs but its still not logging any Actor.
Here is my configuration:
What am I missing here? Is it a problem with the OAuth Toolkit or did I missconfig anything?
The text was updated successfully, but these errors were encountered: