Hide admin-only actions from non-Admin activity feed
Non-Admin users should not see user management events (create, delete, group changes, password resets), impersonation events, or admin-only compliance operations (config reconcile, upload rollback) in the Recent Activity panel.
This commit is contained in:
Jordan Ramos
@@ -164,7 +164,14 @@ app.get('/api/recent-activity', requireAuth(), async (req, res) => {
|
|||||||
// Hide impersonation events from non-Admin users
|
// Hide impersonation events from non-Admin users
|
||||||
const excludedActions = ['login', 'logout', 'login_failed'];
|
const excludedActions = ['login', 'logout', 'login_failed'];
|
||||||
if (req.user.group !== 'Admin') {
|
if (req.user.group !== 'Admin') {
|
||||||
excludedActions.push('impersonate_start', 'impersonate_stop');
|
// Hide admin-only actions from non-Admin users
|
||||||
|
excludedActions.push(
|
||||||
|
'impersonate_start', 'impersonate_stop',
|
||||||
|
'create_user', 'delete_user', 'update_user',
|
||||||
|
'added_user', 'deleted_user', 'group_change',
|
||||||
|
'toggle_active', 'password_reset',
|
||||||
|
'compliance_config_reconcile', 'compliance_upload_rollback'
|
||||||
|
);
|
||||||
}
|
}
|
||||||
const { rows } = await pool.query(
|
const { rows } = await pool.query(
|
||||||
`SELECT username, action, entity_type, entity_id, details, created_at
|
`SELECT username, action, entity_type, entity_id, details, created_at
|
||||||
|
|||||||
Reference in New Issue
Block a user