API endpoint for document audit log

2024-04-07 21:58:20 -07:00 · 2024-04-07 21:58:20 -07:00 · 07dc41a59d
commit 07dc41a59d
parent d65fcf70f3
2 changed files with 56 additions and 0 deletions
--- a/src/documents/tests/test_api_documents.py
+++ b/src/documents/tests/test_api_documents.py
@ -316,6 +316,29 @@ class TestDocumentApi(DirectoriesMixin, DocumentConsumeDelayMixin, APITestCase):
        response = self.client.get(f"/api/documents/{doc.pk}/thumb/")
        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)

+    def test_document_audit_action(self):
+        doc = Document.objects.create(
+            title="First title",
+            checksum="123",
+            mime_type="application/pdf",
+        )
+        self.client.force_login(user=self.user)
+        self.client.patch(
+            f"/api/documents/{doc.pk}/",
+            {"title": "New title"},
+            format="json",
+        )
+
+        response = self.client.get(f"/api/documents/{doc.pk}/audit/")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(len(response.data), 2)
+        self.assertEqual(response.data[0]["actor"]["id"], self.user.id)
+        self.assertEqual(response.data[0]["action"], "update")
+        self.assertEqual(
+            response.data[0]["changes"],
+            {"title": ["First title", "New title"]},
+        )
+
    def test_document_filters(self):
        doc1 = Document.objects.create(
            title="none1",
--- a/src/documents/views.py
+++ b/src/documents/views.py
@ -729,6 +729,39 @@ class DocumentViewSet(
            ]
            return Response(links)

+    @action(methods=["get"], detail=True, name="Audit Trail")
+    def audit(self, request, pk=None):
+        try:
+            doc = Document.objects.get(pk=pk)
+            if not request.user.has_perm("auditlog.view_logentry") or (
+                doc.owner is not None and doc.owner != request.user
+            ):
+                return HttpResponseForbidden(
+                    "Insufficient permissions",
+                )
+        except Document.DoesNotExist:
+            raise Http404
+
+        if request.method == "GET":
+            entries = [
+                {
+                    "id": entry.id,
+                    "timestamp": entry.timestamp,
+                    "action": entry.get_action_display(),
+                    "changes": json.loads(entry.changes),
+                    "remote_addr": entry.remote_addr,
+                    "actor": (
+                        {"id": entry.actor.id, "username": entry.actor.username}
+                        if entry.actor
+                        else None
+                    ),
+                }
+                for entry in LogEntry.objects.filter(object_pk=doc.pk).order_by(
+                    "-timestamp",
+                )
+            ]
+            return Response(entries)
+

 class SearchResultSerializer(DocumentSerializer, PassUserMixin):
    def to_representation(self, instance):