Possible Bug: Auditing login events

[jguengerich]

I'm Using R5, but it looks like the code in question is still the same in R7.

I was looking at the Audit Log and noticed that Admin login events are getting saved with an anonymous UserId in the UserId field instead of the actual Admin UserId. The actual Admin UserId is getting put in the Comment field. I think the following line of code in the AuditLogin_Success method in CommercBuilder\Users\AbleCommerceMembershipProvider.cs:

Code: Select all

Logger.Audit(AuditEventType.Login, true, user.Id.ToString());

shoud be changed to this:

Code: Select all

Logger.Audit(AuditEventType.Login, true, user.Id.ToString(), user);

I have tested this change and it does store the correct Admin UserId is to the UserId field in the ac_AuditEvents table.
I can't think of a reason why you'd want the anonymous UserId there, am I missing something?
I believe similar code changes should be made to the other AuditLogin_* methods, except for AuditLogin_InvalidUsername.

If someone from AbleCommerce can confirm this is a bug, I'll file it using the Feedback button.

[nadeem]

I just confirmed this issue exists in our latest R7 build as well. However, fix you have provided is little different. For the proper fix you have to update all AuditLogin_* methods except AuditLogin_InvalidUsername inside CommercBuilder\Users\AbleCommerceMembershipProvider.cs like this for example:

Code: Select all

      //AuditLogin_Unapproved method
      Logger.Audit(AuditEventType.Login, false, "User not approved.", user);

      //AuditLogin_InvalidPassword method
      Logger.Audit(AuditEventType.Login, false, "Invalid password", user);

      //AuditLogin_Success method      
      Logger.Audit(AuditEventType.Login, true, string.Empty, user);

I have reported this issue in our bug tracking system and will be available in next release. Thanks for reporting BTW.