"Show only own events" not as expected

[vitko-bg]

Looks like "Show only own events" is not working correctly.

Option to show own events only is ON:

Steps to reproduce: Using admin account created "testtest" account, assigned rights for the devices and logged in to MC using "testtest" account

On the events tab appearing my original administrator name "LetsSaysSomethingSpecial" and changes made to testtest account.

Expectation: Events created and/or triggered by "testtest" account to appear on the events tab, not those ones from the administrator account?

MC version: 1.0.85 - currently latest Running on Debian Jessie Node: 10.16.2

[vitko-bg]

Any update on this?

[vitko-bg]

Any update please? @Ylianst can you help with this issue please? Thanks.

[vitko-bg]

Any update on this issue please? The issue still persist in v.1.1.15

[si458]

this is correct, because you see your own events, but you also see any 'admin events' that an admin account did to your account! this is sort of a security feature, as an admin account, could change ur permission to say view other devices you shouldnt be able to see? and you could then check/verify WHEN this happened as it could be a hack attack!

[vitko-bg]

Well ..... @si458 try to see it from my point of view and you will understand. I am not quite agree with your statement, as this is opposite to security feature. Because to stay secure I am using login name which is "SomethingSecret", not Admin, not Administrator - and in this case users can see my login name and all what needs to be guessed is password. So in my eyes it is completely opposite to security feature. May this then will be an option in server configuration to choose if admin events should be visible from users side or not. "Show only own events" should show only users events, not done by Admin or anyone else.

[si458]

the problem you have @vitko-bg is the way the events are stored in the database, when an 'admin' changes a group say, it saves 'admin' and 'user' and 'groupid' for example as an entry when you search for events, its searching for your name 'user', so its going to ALWAYS show those events regardless! so i dont believe the is anything we can do im afraid

EDIT: example sql query, to try yourself in mysql/mariadb

SELECT doc FROM events JOIN eventids ON id = fkid WHERE (domain = '' AND target IN ('user//fred')) GROUP BY id ORDER BY time DESC

example reply from a line, simon is my admin account, fred is a normal account

{
  "ids": [
    "*",
    "server-users",
    "user//simon",
    "user//fred"
  ],
  "msg": "Device group membership changed: fred",
  "time": "2023-11-04T22:19:47.879Z",
  "etype": "user",
  "msgid": 78,
  "action": "accountchange",
  "domain": "",
  "userid": "user//simon",
  "account": {
    "_id": "user//fred",
    "name": "fred",
    "email": "[email protected]",
    "links": {
      "mesh//@DEDmL8bSyKan6f03rrrmA7ILlLkBJcfLBwryjv17RabbCrMmRv8NubxFm0YF1SZ": {
        "rights": 8200
      },
      "mesh//GeQtYFY9BrCIgyeB0dHLyEeZN318Ml52Da9j0HbT66$Z6aZkJ5wTyrS92pWBHTWc": {
        "rights": 8200
      }
    },
    "login": 1699135530,
    "phone": "0123456789",
    "access": 1699136111,
    "creation": 1695387746,
    "realname": "Fred Smith",
    "pastlogin": 1699135413,
    "siteadmin": 0,
    "passchange": 1699135407,
    "emailVerified": true
  },
  "msgArgs": [
    "fred"
  ],
  "username": "simon"
}

[vitko-bg]

Ideally would like "Show only own events" to show only users events, not events done by someone else. Hope this can be achieved. Will leave you or @Ylianst to decide.

[vitko-bg]

Just checking if any update on this issue? Thanks.

[si458]

no because this isnt a bug, but a feature request, because generally you WOULD want to see if an admin changed anything on ur account. so im going to close this for now and follow #6136 for updates