Skip to content

Audit log: track maintainer added/removed #1607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Nov 8, 2025
+122 −15
Merged

Audit log: track maintainer added/removed #1607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
06cac2b
Track when maintainer is added or removed
stevenrombauts Oct 9, 2025
a93c9d4
Add missing controller tests for adding and removing maintainer
stevenrombauts Oct 23, 2025
0555e7a
Merge branch 'main' into maintainer-events
Seldaek Nov 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/Audit/AuditRecordType.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@
enum AuditRecordType: string
{
// package ownership
case MaintainerAdded = 'maintainer_added'; // TODO
case MaintainerRemoved = 'maintainer_removed'; // TODO
case MaintainerAdded = 'maintainer_added';
case MaintainerRemoved = 'maintainer_removed';
case PackageTransferred = 'package_transferred';

// package management
Expand Down
29 changes: 16 additions & 13 deletions src/Controller/PackageController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

namespace App\Controller;

use App\Entity\AuditRecord;
use App\Entity\Dependent;
use App\Entity\Download;
use App\Entity\Job;
Expand Down Expand Up @@ -904,7 +905,7 @@ public function deletePackageAction(Request $req, string $name): Response
}

#[Route(path: '/packages/{name:package}/maintainers/', name: 'add_maintainer', requirements: ['name' => '[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+'])]
public function createMaintainerAction(Request $req, #[MapEntity] Package $package, LoggerInterface $logger): RedirectResponse
public function createMaintainerAction(Request $req, #[MapEntity] Package $package, #[CurrentUser] User $user, LoggerInterface $logger): RedirectResponse
{
$this->denyAccessUnlessGranted(PackageActions::AddMaintainer->value, $package);

Expand All @@ -914,19 +915,20 @@ public function createMaintainerAction(Request $req, #[MapEntity] Package $packa
try {
$em = $this->getEM();
if ($username = $form->getData()->getUser()) {
$user = $em->getRepository(User::class)->findOneByUsernameOrEmail($username);
$maintainer = $em->getRepository(User::class)->findOneByUsernameOrEmail($username);
}

if (!empty($user)) {
if (!$package->isMaintainer($user)) {
$package->addMaintainer($user);
$this->packageManager->notifyNewMaintainer($user, $package);
if (!empty($maintainer)) {
if (!$package->isMaintainer($maintainer)) {
$package->addMaintainer($maintainer);
$em->persist(AuditRecord::maintainerAdded($package, $maintainer, $user));
$this->packageManager->notifyNewMaintainer($maintainer, $package);
}

$em->persist($package);
$em->flush();

$this->addFlash('success', $user->getUsername().' is now a '.$package->getName().' maintainer.');
$this->addFlash('success', $maintainer->getUsername().' is now a '.$package->getName().' maintainer.');

return $this->redirectToRoute('view_package', ['name' => $package->getName()]);
}
Expand All @@ -941,7 +943,7 @@ public function createMaintainerAction(Request $req, #[MapEntity] Package $packa
}

#[Route(path: '/packages/{name:package}/maintainers/delete', name: 'remove_maintainer', requirements: ['name' => '[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+'])]
public function removeMaintainerAction(Request $req, #[MapEntity] Package $package, LoggerInterface $logger): Response
public function removeMaintainerAction(Request $req, #[MapEntity] Package $package, #[CurrentUser] User $user, LoggerInterface $logger): Response
{
$this->denyAccessUnlessGranted(PackageActions::RemoveMaintainer->value, $package);

Expand All @@ -951,18 +953,19 @@ public function removeMaintainerAction(Request $req, #[MapEntity] Package $packa
try {
$em = $this->getEM();
if ($username = $removeMaintainerForm->getData()->getUser()) {
$user = $em->getRepository(User::class)->findOneByUsernameOrEmail($username);
$maintainer = $em->getRepository(User::class)->findOneByUsernameOrEmail($username);
}

if (!empty($user)) {
if ($package->isMaintainer($user)) {
$package->getMaintainers()->removeElement($user);
if (!empty($maintainer)) {
if ($package->isMaintainer($maintainer)) {
$package->getMaintainers()->removeElement($maintainer);
$em->persist(AuditRecord::maintainerRemoved($package, $maintainer, $user));
}

$em->persist($package);
$em->flush();

$this->addFlash('success', $user->getUsername().' is no longer a '.$package->getName().' maintainer.');
$this->addFlash('success', $maintainer->getUsername().' is no longer a '.$package->getName().' maintainer.');

return $this->redirectToRoute('view_package', ['name' => $package->getName()]);
}
Expand Down
12 changes: 12 additions & 0 deletions src/Entity/AuditRecord.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ private function __construct(
public readonly ?string $vendor = null,
#[ORM\Column(nullable: true)]
public readonly ?int $packageId = null,
#[ORM\Column(nullable: true)]
public readonly ?int $userId = null,
) {
$this->id = new Ulid();
$this->datetime = new \DateTimeImmutable();
Expand Down Expand Up @@ -97,6 +99,16 @@ public static function versionReferenceChange(Version $version, ?string $oldSour
);
}

public static function maintainerAdded(Package $package, User $maintainer, ?User $actor): self
{
return new self(AuditRecordType::MaintainerAdded, ['name' => $package->getName(), 'maintainer' => self::getUserData($maintainer), 'actor' => self::getUserData($actor)], $actor?->getId(), $package->getVendor(), $package->getId(), $maintainer->getId());
}

public static function maintainerRemoved(Package $package, User $maintainer, ?User $actor): self
{
return new self(AuditRecordType::MaintainerRemoved, ['name' => $package->getName(), 'maintainer' => self::getUserData($maintainer), 'actor' => self::getUserData($actor)], $actor?->getId(), $package->getVendor(), $package->getId(), $maintainer->getId());
}

/**
* @return array{id: int, username: string}|string
*/
Expand Down
92 changes: 92 additions & 0 deletions tests/Controller/PackageControllerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@

namespace App\Tests\Controller;

use App\Audit\AuditRecordType;
use App\Entity\Package;
use App\Entity\User;
use App\Tests\IntegrationTestCase;

class PackageControllerTest extends IntegrationTestCase
Expand Down Expand Up @@ -52,4 +55,93 @@ public function testEdit(): void
self::assertResponseIsSuccessful();
self::assertSame('github.com/composer/composer', $crawler->filter('.canonical')->text());
}

public function testCreateMaintainer(): void
{
$owner = self::createUser('owner', 'owner@example.org');
$newMaintainer = self::createUser('maintainer', 'maintainer@example.org');
$package = self::createPackage('test/pkg', 'https://example.com/test/pkg', maintainers: [$owner]);

$this->store($owner, $newMaintainer, $package);

$this->client->loginUser($owner);

$this->assertFalse($package->isMaintainer($newMaintainer));

$crawler = $this->client->request('GET', '/packages/test/pkg');

$form = $crawler->filter('[name="add_maintainer_form"]')->form();
$form->setValues([
'add_maintainer_form[user]' => 'maintainer',
]);

$this->client->enableProfiler(); // This is required in 7.3.4 to assert emails were sent, see https://github.com/symfony/symfony/issues/61873
$this->client->submit($form);

$this->assertEmailCount(1);
$email = $this->getMailerMessage();
$this->assertNotNull($email);
$this->assertEmailHeaderSame($email, 'To', $newMaintainer->getEmail());

$this->assertResponseRedirects('/packages/test/pkg');
$this->client->followRedirect();
$this->assertResponseIsSuccessful();

$em = self::getEM();
$em->clear();

$maintainer = $em->getRepository(User::class)->find($newMaintainer->getId());
$package = $em->getRepository(Package::class)->find($package->getId());

$this->assertTrue($package->isMaintainer($maintainer));

$auditRecord = $em->getRepository(\App\Entity\AuditRecord::class)->findOneBy([
'type' => AuditRecordType::MaintainerAdded->value,
'packageId' => $package->getId(),
'actorId' => $owner->getId(),
]);
$this->assertNotNull($auditRecord);
}

public function testRemoveMaintainer(): void
{
$owner = self::createUser('owner', 'owner@example.org');
$maintainer = self::createUser('maintainer', 'maintainer@example.org');
$package = self::createPackage('test/pkg', 'https://example.com/test/pkg', maintainers: [$owner, $maintainer]);

$this->store($owner, $maintainer, $package);

$this->client->loginUser($owner);

$this->assertTrue($package->isMaintainer($maintainer));

$crawler = $this->client->request('GET', '/packages/test/pkg');

$form = $crawler->filter('[name="remove_maintainer_form"]')->form();
$form->setValues([
'remove_maintainer_form[user]' => $maintainer->getId(),
]);

$this->client->submit($form);

$this->assertResponseRedirects('/packages/test/pkg');
$this->client->followRedirect();
$this->assertResponseIsSuccessful();

$em = self::getEM();
$em->clear();

$maintainer = $em->getRepository(User::class)->find($maintainer->getId());
$package = $em->getRepository(Package::class)->find($package->getId());

$this->assertFalse($package->isMaintainer($maintainer));

$auditRecord = $em->getRepository(\App\Entity\AuditRecord::class)->findOneBy([
'type' => AuditRecordType::MaintainerRemoved->value,
'packageId' => $package->getId(),
'actorId' => $owner->getId(),
]);

$this->assertNotNull($auditRecord);
}
}