[4.0][API][com_actionslogs] keep track of API requests

[alikon]

Summary of Changes

listen event onAfterDispatch to keep track of API requests on actionlogs

Testing Instructions

make some requests GET for example:
/api/index.php/v1/plugins
/api/index.php/v1/users
/api/index.php/v1/config/application
/api/index.php/v1/content/article
....
etc...

test other verbs as welll

Expected result

API requests logged
something like

Actual result

N/A

Documentation Changes Required

maybe

[mbabker]

Does this REALLY need a new event? Couldn’t onAfterDispatch work just as well here? You’d just need to check context if using that event.

[alikon]

yes again 😄
there is no need for a new event onAfterDispatch does already the job

[wilsonge]

Looks good to me. Just needs some tests

[Quy]

Please fix conflicts.

[alikon]

conflict solved

[Quy]

User admin performed a GET on index.php/v1/modules/site?language=%2A&state=0

* is displayed as %2A

[Quy]

This can output potential XSS.

[alikon]

any suggestions ?
what about

urldecode(htmlspecialchars($this->app->get('uri.route'), ENT_QUOTES, 'UTF-8'));

[chmst]

Tested with different words, for example

[chmst]

I have tested this item ✅ successfully on afb8f8f

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27094.}

[wilsonge]

Having thought about this I think we probably want to have an additional flag for this API setting. Because in the case you have mobile apps using the API actively you're going to end up having too many entries in action logs. But you might well still want other actions logged in the component.

[N6REJ]

Tests ran:

Results:

I have tested this item ✅ successfully on afb8f8f

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27094.}

[alikon]

ok i've fine grained the api logging

now you can disable the api logging
you can enable only some verbs to be logged
and of course only on some "Events"

[alikon]

@chmst, @N6REJ another round of tests please

[Razzo1987]

I have tested this item ✅ successfully on 4a38077

GET: ok
POST: ok
DELETE: ok
PUT: not tested (if someone have an example I try it)
PATCH: non listed in "Verds to log" ( I test this example: https://docs.joomla.org/J4.x:Joomla_Core_APIs#Update_Article)

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27094.}

[wilsonge]

Thanks!

[alikon]

thanks folks + thanks to covid19 for lockdown
😄