Security log and plugin keys

[caramcc]

Is there any functionality to add "plugin key modified" event to the forum Security Log? I noticed that if the value of a plugin associated with a post is modified, e.g., from the javascript console, nothing is captured in the security log. Since this is a CRUD action associated with a logged-in user it seems like it should be logged.

(Posted this here rather than in the plugin forum because it relates to the security log and not plugin development, sorry in advance if that isn't right.)

[Derek‽]

Plugin key value changes aren’t tracked by the security log. Changes to plugin settings in the ACP are recorded, but not individual keys.

As such, no, it’s not possible for a plugin developer to add an event to the security log. Only the backend forum software has any control over what appears in the log for the purpose of maintaining integrity, and those actions are limited to a standard, fixed scope.

There’s a fair argument for allowing it, I suppose, but I don’t know if PB feels comfortable opening up manipulation of the log to plugin development, even if it’s just to add entries. Perhaps v6 will bring such a change.

[Kami]

For whatever it's worth, plugins as a whole can't affect anything in the admin panel's functionality, regardless of function. Plugins are only able to affect the forum proper.

That said, perhaps PB will be willing to consider adding​ to the logged actions of a forum to include plugin key modifications, rather than allowing plugin developers access to manipulate the log itself (since, historically, requests to allow the manipulation of the security log have been declined)​​​. The one thing I can see however is security log overload; if, for example, a super key's changes are being logged, that's (potentially) a lot of people overwriting that super key on a regular basis. I don't know what sort of resource requirements the security log has, but that could be a potential drawback.

[caramcc]

Thanks for your responses.

Yes, my interest is less in having a plugin modify the security log itself and rather having updates/deletes get optionally recorded to the security log. If it were toggle-able for a given plugin key (i.e. so developers/admins could enable logging for low-volume keys) that would be even better.

I suppose this is more of a feature request, then. Generically being able to ship events to the security log would be even better but doesn't seem as feasible.

[Kami]

Apr 15, 2019 15:31:47 GMT -8 caramcc said:

Thanks for your responses.

Yes, my interest is less in having a plugin modify the security log itself and rather having updates/deletes get optionally recorded to the security log. If it were toggle-able for a given plugin key (i.e. so developers/admins could enable logging for low-volume keys) that would be even better.

I suppose this is more of a feature request, then. Generically being able to ship events to the security log would be even better but doesn't seem as feasible.

It looks like this thread has been labelled as a feature request! \o/ As a note: feature requests aren't guaranteed to be delivered but it is at least something that PB is willing to consider implementing, pending time, resources, and feasibility (: