diff --git a/api/src/org/labkey/api/audit/query/DefaultAuditTypeTable.java b/api/src/org/labkey/api/audit/query/DefaultAuditTypeTable.java index 4a1647ae863..dae043f66f0 100644 --- a/api/src/org/labkey/api/audit/query/DefaultAuditTypeTable.java +++ b/api/src/org/labkey/api/audit/query/DefaultAuditTypeTable.java @@ -34,14 +34,9 @@ import org.labkey.api.query.QueryUpdateService; import org.labkey.api.query.UserSchema; import org.labkey.api.query.column.BuiltInColumnTypes; -import org.labkey.api.security.SecurityManager; -import org.labkey.api.security.User; import org.labkey.api.security.UserPrincipal; import org.labkey.api.security.permissions.Permission; import org.labkey.api.security.permissions.ReadPermission; -import org.labkey.api.security.roles.CanSeeAuditLogRole; -import org.labkey.api.security.roles.Role; -import org.labkey.api.security.roles.RoleManager; import java.util.ArrayList; import java.util.List; @@ -119,9 +114,7 @@ protected void initColumns() @Override protected SimpleFilter.FilterClause getContainerFilterClause(ContainerFilter filter, FieldKey fieldKey) { - User user = (null == getUserSchema()) ? null : getUserSchema().getUser(); - Set roles = SecurityManager.canSeeAuditLog(user) ? RoleManager.roleSet(CanSeeAuditLogRole.class) : null; - return filter.createFilterClause(getSchema(), fieldKey, CanSeeAuditLogPermission.class, roles); + return filter.createFilterClause(getSchema(), fieldKey, CanSeeAuditLogPermission.class, Set.of()); } // Subclasses may override this to provide customizations to the column diff --git a/api/src/org/labkey/api/security/roles/CanSeeAuditLogFolderRole.java b/api/src/org/labkey/api/security/roles/CanSeeAuditLogFolderRole.java new file mode 100644 index 00000000000..9ebd470280c --- /dev/null +++ b/api/src/org/labkey/api/security/roles/CanSeeAuditLogFolderRole.java @@ -0,0 +1,16 @@ +package org.labkey.api.security.roles; + +import org.labkey.api.audit.permissions.CanSeeAuditLogPermission; + +/** + * See {@link CanSeeAuditLogRole} for the site role version + */ +public class CanSeeAuditLogFolderRole extends AbstractRole +{ + protected CanSeeAuditLogFolderRole() + { + super("See Audit Log Events", "Allows non-administrators to view audit log events. " + CanSeeAuditLogRole.FINAL_WARNING_LINE, + CanSeeAuditLogPermission.class + ); + } +} diff --git a/api/src/org/labkey/api/security/roles/CanSeeAuditLogRole.java b/api/src/org/labkey/api/security/roles/CanSeeAuditLogRole.java index 3a0bddf8fb6..f033329e500 100644 --- a/api/src/org/labkey/api/security/roles/CanSeeAuditLogRole.java +++ b/api/src/org/labkey/api/security/roles/CanSeeAuditLogRole.java @@ -18,11 +18,20 @@ import org.labkey.api.audit.permissions.CanSeeAuditLogPermission; import org.labkey.api.security.permissions.SeeUserDetailsPermission; +/** + * See {@link CanSeeAuditLogFolderRole}, the project/folder version of this role + */ public class CanSeeAuditLogRole extends AbstractRootContainerRole { + static final String FINAL_WARNING_LINE = "This role should be used with caution since the audit log may " + + "contain sensitive or protected information. For example, dataset or list imports where detailed logging " + + "was turned on."; + public CanSeeAuditLogRole() { - super("See Audit Log Events", "Allows non-administrators to view audit log events", + super("See Audit Log Events", "Allows non-administrators to view audit log events in the " + + "root, every project, and every folder on this site. This level of visibility is not generally recommended. " + + "For more granular control, assign this role at the folder level instead. " + FINAL_WARNING_LINE, CanSeeAuditLogPermission.class, SeeUserDetailsPermission.class ); diff --git a/api/src/org/labkey/api/security/roles/RoleManager.java b/api/src/org/labkey/api/security/roles/RoleManager.java index d656e5592d9..8ba6de628b1 100644 --- a/api/src/org/labkey/api/security/roles/RoleManager.java +++ b/api/src/org/labkey/api/security/roles/RoleManager.java @@ -134,6 +134,7 @@ private int getPermLevel(Role r) registerRole(new SubmitterRole()); registerRole(new NoPermissionsRole()); registerRole(new OwnerRole()); + registerRole(new CanSeeAuditLogFolderRole()); } public static void addAdminRoleListener(AdminRoleListener listener)