E526 Add missing audits.event / audits.resource labels to Projects API endpoints by Copilot · Pull Request #11474 · appwrite/appwrite · GitHub
[go: up one dir, main page]
Skip to content

Add missing audits.event / audits.resource labels to Projects API endpoints#11474

Draft
Copilot wants to merge 2 commits into1.8.xfrom
copilot/add-missing-audit-labels
Draft

Add missing audits.event / audits.resource labels to Projects API endpoints#11474
Copilot wants to merge 2 commits into1.8.xfrom
copilot/add-missing-audit-labels

Conversation

Copy link
Contributor
Copilot AI commented Mar 7, 2026
edited
Loading

Most write endpoints in app/controllers/api/projects.php were missing audits.event and audits.resource labels, resulting in incomplete audit logs for admin actions on project configuration, webhooks, keys, platforms, and templates.

Changes

  • Project config updates — added projects.service.update, projects.api.update, projects.oauth2.update, and projects.auth.update events to all PATCH endpoints under /service, /api, /oauth2, and /auth/*
  • Webhook CRUDwebhooks.create, webhooks.update, webhooks.delete with resource project/{request.projectId}/webhook/{request.webhookId}
  • Key CRUDkeys.create, keys.update, keys.delete with resource project/{request.projectId}/key/{request.keyId}
  • Platform updateplatforms.update with resource project/{request.projectId}/platform/{request.platformId}
  • JWT creationjwts.create with resource project/{request.projectId}
  • SMTP & templatesprojects.update for SMTP config, SMTP test, and email/SMS template patch/delete endpoints

Example of the pattern applied:

Http::patch('/v1/projects/:projectId/auth/session-invalidation')
    ->desc('Update invalidate session option of the project')
    ->groups(['api', 'projects'])
    ->label('audits.event', 'projects.auth.update')
    ->label('audits.resource', 'project/{request.projectId}')
    ->label('scope', 'projects.write')

All resource strings use {request.*} template placeholders, consistent with the parseLabel mechanism in app/controllers/shared/api.php. GET (read-only) endpoints are intentionally excluded.

Original prompt

This section details on the original issue you should resolve

<issue_title>Add missing audits.event / audits.resource labels to Projects API endpoints</issue_title>
<issue_description>## Description
In app/controllers/api/projects.php (branch 1.8.x), many write/mutation endpoints are missing the audit labels:

  • ->label('audits.event', ...)
  • ->label('audits.resource', ...)

A few endpoints already include these labels (e.g., project delete, platform create/delete), but most other endpoints do not, which results in incomplete audit logging for admin actions.

File

  • app/controllers/api/projects.php

Source

  • https://github.com/appwrite/appwrite/blob/1.8.x/app/controllers/api/projects.php

Endpoints missing audit labels

Write endpoints (non-GET) in this file that are missing both labels include:

  • PATCH /v1/projects/:projectId/service
  • PATCH /v1/projects/:projectId/service/all
  • PATCH /v1/projects/:projectId/api
  • PATCH /v1/projects/:projectId/api/all
  • PATCH /v1/projects/:projectId/oauth2
  • PATCH /v1/projects/:projectId/auth/session-alerts
  • PATCH /v1/projects/:projectId/auth/memberships-privacy
  • PATCH /v1/projects/:projectId/auth/limit
  • PATCH /v1/projects/:projectId/auth/duration
  • PATCH /v1/projects/:projectId/auth/:method
  • PATCH /v1/projects/:projectId/auth/password-history
  • PATCH /v1/projects/:projectId/auth/password-dictionary
  • PATCH /v1/projects/:projectId/auth/personal-data
  • PATCH /v1/projects/:projectId/auth/max-sessions
  • PATCH /v1/projects/:projectId/auth/mock-numbers
  • POST /v1/projects/:projectId/webhooks
  • PUT /v1/projects/:projectId/webhooks/:webhookId
  • PATCH /v1/projects/:projectId/webhooks/:webhookId/signature
  • DELETE /v1/projects/:projectId/webhooks/:webhookId
  • POST /v1/projects/:projectId/keys
  • PUT /v1/projects/:projectId/keys/:keyId
  • DELETE /v1/projects/:projectId/keys/:keyId
  • POST /v1/projects/:projectId/jwts
  • PUT /v1/projects/:projectId/platforms/:platformId
  • PATCH /v1/projects/:projectId/smtp
  • POST /v1/projects/:projectId/smtp/tests
  • PATCH /v1/projects/:projectId/templates/sms/:type/:locale (currently throws NOT_IMPLEMENTED, but still defined)
  • PATCH /v1/projects/:projectId/templates/email/:type/:locale
  • DELETE /v1/projects/:projectId/templates/sms/:type/:locale (currently throws NOT_IMPLEMENTED, but still defined)
  • DELETE /v1/projects/:projectId/templates/email/:type/:locale
  • PATCH /v1/projects/:projectId/auth/session-invalidation

(There are also GET endpoints missing audit labels; those may be intentionally excluded since they are read-only.)

Expected behavior / Acceptance criteria

  • All state-changing endpoints in projects.php should include audits.event and audits.resource labels consistent with existing patterns in the repo.
  • Audit resource strings should include the project and, where applicable, sub-resources (webhookId, keyId, platformId, etc.).
  • Confirm audits are emitted for these endpoints (manual test or unit/integration test if available).

Suggested audit naming (example pattern)

Event

  • projects.service.update
  • projects.api.update
  • projects.oauth2.update
  • projects.auth.update
  • webhooks.create|update|delete
  • keys.create|update|delete
  • smtp.update
  • smtp.tests.create

Resource

  • project/{request.projectId}
  • webhook/{request.webhookId}</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@stnguyen90
Add missing audits.event/audits.resource labels to Projects API endpo…
ea82026 
…ints

Co-authored-by: stnguyen90 <1477010+stnguyen90@users.noreply.github.com>
Copilot AI changed the title [WIP] Add missing audits.event and audits.resource labels to Projects API Add missing audits.event / audits.resource labels to Projects API endpoints Mar 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@stnguyen90 stnguyen90

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stnguyen90
0