jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Hide impersonation events from non-Admin activity feed

Browse Source 
Non-Admin users should not see impersonate_start/impersonate_stop
entries in the recent activity feed. The feed now filters these
actions for non-Admin groups alongside the existing login/logout
exclusions.
This commit is contained in:
Jordan Ramos
2026-06-24 13:01:15 -06:00
parent 8c789ce765
commit 0e17318cba
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
backend/server.js
View File

@@ -161,13 +161,18 @@ app.use('/api/audit-logs', createAuditLogRouter());
app.get('/api/recent-activity', requireAuth(), async (req, res) => {
try {
const limit = Math.min(15, Math.max(1, parseInt(req.query.limit) || 10));
// Hide impersonation events from non-Admin users
const excludedActions = ['login', 'logout', 'login_failed'];
if (req.user.group !== 'Admin') {
excludedActions.push('impersonate_start', 'impersonate_stop');
}
const { rows } = await pool.query(
`SELECT username, action, entity_type, entity_id, details, created_at
FROM audit_logs
WHERE action NOT IN ('login', 'logout', 'login_failed')
WHERE action NOT IN (${excludedActions.map((_, i) => `$${i + 1}`).join(', ')})
ORDER BY created_at DESC
LIMIT $1`,
[limit]
LIMIT $${excludedActions.length + 1}`,
[...excludedActions, limit]
);
res.json({ activities: rows });
} catch (err) {