DRF-API-Logger icon indicating copy to clipboard operation
DRF-API-Logger copied to clipboard
verified publisher icon vishalanandl177

Added user and view fields in model and feature

Open rkisdp opened this issue 1 year ago • 12 comments

Added 2 extra fields with complete flow to added the information into the database.

rkisdp avatar Feb 01 '24 10:02 rkisdp

Hi @vishalanandl177, please review the changes and let me know if you find any problem.

rkisdp avatar Feb 01 '24 10:02 rkisdp

@rkisdp any idea when this PR will merge and a new release will be out?

ken-turgnate avatar Feb 14 '24 00:02 ken-turgnate

@rkisdp any idea when this PR will merge and a new release will be out?

@ken-turgnate Sorry but I'm not the maintainer of this repository, so can't do or tell you anything about this.

rkisdp avatar Feb 14 '24 01:02 rkisdp

Apologies @rkisdp . @vishalanandl177 Any idea on when this land and get released? Thanks

ken-turgnate avatar Feb 14 '24 16:02 ken-turgnate

Hi @vishalanandl177, any update on this PR? if there something you want me to change? I want to add more features in this module, please let me know.

rkisdp avatar Mar 29 '24 10:03 rkisdp

I'm interested in having the user too. This package is great, but it would be important to know WHO made the call if it was an authenticated user or not.

tsantor avatar Mar 31 '24 03:03 tsantor

@vishalanandl177 Are you still maintaining the Repo ?

ashwanthbalakrishnan5 avatar Apr 20 '24 14:04 ashwanthbalakrishnan5

Yes @ashwanthbalakrishnan5

vishalanandl177 avatar Apr 20 '24 16:04 vishalanandl177

I cannot merge because doing so may violate certain policies, as observed in various enterprise companies.

vishalanandl177 avatar Apr 20 '24 16:04 vishalanandl177

@vishalanandl177 I am very sorry. Can you please tell me what policies I am breaking in this commit? I will fix them.

rkisdp avatar Apr 20 '24 17:04 rkisdp

Based on my recent conversations with several enterprise companies, developers should not have access to user information. Allowing developers to use customer data for personal interests poses a risk.

vishalanandl177 avatar Apr 20 '24 17:04 vishalanandl177

TL; DR: let's make them optional, disabled by default.

Hi fellow users and devs, I have been employed in multiple SP500 enterprises that takes these risks seriously. In such companies segregation of duties is required for example by Sarbane Oxley Act. Segregation of duties means that if you can change code (you are a developer), you cannot read production DB. Only non-production. So it also means, that you cannot read any production data. You simply don't have access to it. You can only access non-production anonymized sample data in non-production DB. If they give production data access to regular developers, they miss the point of Segregation of Duties.

And only in special cases if it not possible to fix the bug without accessing those non-production data, temporary access to production data is allowed, with special approval.

Source: https://www.securends.com/segregation-of-duties/ (a bit commercial, but correct)

So I think storing ID of the user is perfectly OK.

However, to be on the safe side, it can be an option in settings.py, so one can it enable explicitly only if needed. Would it be the way to go?

stardust85 avatar Jul 26 '24 12:07 stardust85