bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: impersonation.active default tag for non-impersonation authenticated events

Browse Source 
RFC §3.6 vereist impersonation.active als always-present binary signal
op authenticated events. Originele PR-2 architectural-fixes verplaatste
impersonation-tagging naar HandleImpersonation middleware, die alleen
draait bij actieve impersonation. Resultaat: non-impersonation events
hadden GEEN tag, niet 'false' tag — wat filtering op "alle impersonation
events" in GlitchTip stilletjes onmogelijk maakte.

Fix: AuthScopeContextListener::bindForUser() zet baseline 'false';
HandleImpersonation overschrijft naar 'true' + impersonator_user_id
wanneer actief. Default-in-listener, override-in-middleware pattern.
HandleImpersonation deed de override-set al correct sinds commit
9414d09; alleen de baseline ontbrak.

Bert's live verification toonde de gap: super_admin event zonder
impersonation actief, GlitchTip event zonder impersonation.active tag.

Tests:
- test_impersonation_active_default_false_for_non_impersonation_authenticated_event
  (was test_authenticated_event_does_not_set_impersonation_tags;
  hernoemd + assertion gewijzigd)
- test_impersonation_active_default_false_across_every_actor_scope_branch
  walks elke actor_scope branch (user/organisation/platform) en bewijst
  baseline geldt uniform — vangt toekomstige refactors die per branch
  vroegtijdig returnen.

Test count 1544 to 1545. Larastan + Pint clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-05-07 17:30:27 +02:00
parent 215405ad50
commit a939820122
2 changed files with 57 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
api/app/Listeners/Observability/AuthScopeContextListener.php
View File

@@ -77,6 +77,11 @@ final class AuthScopeContextListener
'id' => $user->id,
'username' => $user->id, // RFC §3.8: ULID, never email.
]);
// Default baseline; HandleImpersonation middleware overschrijft
// naar 'true' + zet impersonation.impersonator_user_id wanneer
// impersonation actief is. RFC §3.6 vereist always-present
// binary signal voor betrouwbare filtering.
$scope->setTag('impersonation.active', 'false');
$scope->setTag('user_id', $user->id);
$scope->setTag('actor_type', $actorType->value);
$scope->setTag('actor_scope', $actorScope);