Add support for admin and owner view logging; update tests and views (#3953)

* Add support for admin and owner view logging; update tests and views

* Sign out user in tests to ensure views count as regular views

* Clarify comment in log_view method to emphasize admin view precedence over owner views

* Add tests for log_view method to create owner_view and admin_view audit logs

Author: LukasMalyszko

app/controllers/concerns/log_events.rb

@@ -3,10 +3,16 @@ module LogEvents
   # log_view
   #
   # Record that a view is being made for a push
+  # If the viewer is the owner or an admin, it won't count towards view limits
   #
   def log_view(push)
     if push.expired
       log_event(push, :failed_view)
+    elsif user_signed_in? && current_user.admin?
+      # Admin views take precedence over owner views
+      log_event(push, :admin_view)
+    elsif user_signed_in? && push.user_id == current_user.id
+      log_event(push, :owner_view)
     else
       log_event(push, :view)
     end

app/models/audit_log.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class AuditLog < ApplicationRecord
-  enum :kind, [:creation, :view, :failed_view, :expire, :failed_passphrase], validate: true
+  enum :kind, [:creation, :view, :failed_view, :expire, :failed_passphrase, :admin_view, :owner_view], validate: true
 
   belongs_to :push
   belongs_to :user, optional: true

app/views/audit_logs/_log_admin_view.html.erb

@@ -0,0 +1,14 @@
+<div class="list-group-item list-group-item-action list-group-item-info">
+    <em class="bi bi-shield-check"></em>
+    <%= _('Admin view on %{date} by %{user}') % {
+        date: I18n.l(audit_log.created_at.in_time_zone(Settings.timezone)),
+        user: audit_log.subject_name
+    } %>
+    <span class="badge bg-info"><%= _('Does not count towards view limit') %></span>
+    <br>
+    <%= _('IP Address:') %> <code><%= render 'application/ip_address', ip: audit_log.ip %></code>
+    <br>
+    <%= _('User Agent:') %> <code><%= audit_log.user_agent.blank? ? _('None') : audit_log.user_agent %></code>
+    <br>
+    <%= _('Referrer:') %> <code><%= audit_log.referrer.blank? ? _('None') : audit_log.referrer %></code>
+</div>

app/views/audit_logs/_log_owner_view.html.erb

@@ -0,0 +1,14 @@
+<div class="list-group-item list-group-item-action list-group-item-info">
+    <em class="bi bi-person-check"></em>
+    <%= _('Owner view on %{date} by %{user}') % {
+        date: I18n.l(audit_log.created_at.in_time_zone(Settings.timezone)),
+        user: audit_log.subject_name
+    } %>
+    <span class="badge bg-info"><%= _('Does not count towards view limit') %></span>
+    <br>
+    <%= _('IP Address:') %> <code><%= render 'application/ip_address', ip: audit_log.ip %></code>
+    <br>
+    <%= _('User Agent:') %> <code><%= audit_log.user_agent.blank? ? _('None') : audit_log.user_agent %></code>
+    <br>
+    <%= _('Referrer:') %> <code><%= audit_log.referrer.blank? ? _('None') : audit_log.referrer %></code>
+</div>

test/controllers/concerns/log_events_test.rb

@@ -60,6 +60,71 @@ class LogEventsTest < ActionController::TestCase
     assert_equal @push, result
   end
 
+  test "log_view creates owner_view audit log when current_user is push owner" do
+    @push.update(expired: false, user: @user)
+    sign_in @user
+
+    @request.env["REMOTE_ADDR"] = "192.168.1.1"
+    @request.env["HTTP_USER_AGENT"] = "Mozilla/5.0"
+    @request.env["HTTP_REFERER"] = "https://example.com"
+
+    result = @controller.log_view(@push)
+
+    assert_equal @push, result
+    assert_equal 1, AuditLog.count
+    log = AuditLog.last
+    assert_equal :owner_view, log.kind.to_sym
+    assert_equal @push, log.push
+    assert_equal @user, log.user
+    assert_equal "192.168.1.1", log.ip
+    assert_equal "Mozilla/5.0", log.user_agent
+    assert_equal "https://example.com", log.referrer
+  end
+
+  test "log_view creates admin_view audit log when current_user is admin but not owner" do
+    admin = users(:mr_admin)
+    @push.update(expired: false, user: @user)
+    sign_in admin
+
+    @request.env["REMOTE_ADDR"] = "10.0.0.5"
+    @request.env["HTTP_USER_AGENT"] = "AdminBrowser/1.0"
+    @request.env["HTTP_REFERER"] = "https://admin.com"
+
+    result = @controller.log_view(@push)
+
+    assert_equal @push, result
+    assert_equal 1, AuditLog.count
+    log = AuditLog.last
+    assert_equal :admin_view, log.kind.to_sym
+    assert_equal @push, log.push
+    assert_equal admin, log.user
+    assert_equal "10.0.0.5", log.ip
+    assert_equal "AdminBrowser/1.0", log.user_agent
+    assert_equal "https://admin.com", log.referrer
+  end
+
+  test "log_view creates regular view audit log when signed in user is neither owner nor admin" do
+    other_user = users(:one)
+    @push.update(expired: false, user: @user)
+    sign_in other_user
+
+    @request.env["REMOTE_ADDR"] = "172.16.0.10"
+    @request.env["HTTP_USER_AGENT"] = "UserBrowser/2.0"
+    @request.env["HTTP_REFERER"] = "https://user.com"
+
+    result = @controller.log_view(@push)
+
+    assert_equal @push, result
+    assert_equal 1, AuditLog.count
+    log = AuditLog.last
+    assert_equal :view, log.kind.to_sym
+    assert_equal @push, log.push
+    assert_equal other_user, log.user
+    assert_equal "172.16.0.10", log.ip
+    assert_equal "UserBrowser/2.0", log.user_agent
+    assert_equal "https://user.com", log.referrer
+  end
+
   # Test log_creation method
   test "log_creation creates creation audit log" do
     @request.env["REMOTE_ADDR"] = "172.16.0.1"
@@ -247,7 +312,7 @@ class LogEventsTest < ActionController::TestCase
 
   # Test edge cases
   test "log_event handles all valid audit log kinds" do
-    kinds = [:creation, :view, :failed_view, :expire, :failed_passphrase]
+    kinds = [:creation, :view, :failed_view, :expire, :failed_passphrase, :owner_view, :admin_view]
 
     kinds.each do |kind|
       AuditLog.delete_all
@@ -274,6 +339,18 @@ class LogEventsTest < ActionController::TestCase
       when :failed_view
         push.update(expired: true)
         @controller.log_view(push)
+      when :owner_view
+        owner = users(:luca)
+        push.update(user: owner)
+        sign_in owner
+        @controller.log_view(push)
+        sign_out owner
+      when :admin_view
+        admin = users(:mr_admin)
+        push.update(user: users(:one))
+        sign_in admin
+        @controller.log_view(push)
+        sign_out admin
       end
 
       assert_equal 1, AuditLog.count, "Expected 1 audit log for kind: #{kind}"