Merge branch '323905-audit-event-new-administrator' into 'master'

Add instance-level audit event when admin status changes See merge request gitlab-org/gitlab!65168

Merge branch '323905-audit-event-new-administrator' into 'master'
Add instance-level audit event when admin status changes See merge request gitlab-org/gitlab!65168
d2430c45 · Sean McGivern · d4447503 · 03f0de49 · d2430c45 · d2430c45
Commit d2430c45 authored Jul 01, 2021 by Sean McGivern
3 changed files
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -162,6 +162,7 @@ The following user actions are recorded:
 - Failed second-factor authentication attempt ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16826) in GitLab 13.5)
 - A user's personal access token was successfully created or revoked ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276921) in GitLab 13.6)
 - A failed attempt to create or revoke a user's personal access token ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276921) in GitLab 13.6)
+- Administrator added or removed ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/323905) in GitLab 14.1)

 Instance events can also be accessed via the [Instance Audit Events API](../api/audit_events.md#instance-audit-events).


--- a/ee/app/services/ee/users/update_service.rb
+++ b/ee/app/services/ee/users/update_service.rb
@@ -24,6 +24,7 @@ module EE
        audit_changes(:email, as: 'email address')
        audit_changes(:encrypted_password, as: 'password', skip_changes: true)
        audit_changes(:username, as: 'username')
+        audit_changes(:admin, as: 'admin status')

        success
      end

--- a/ee/spec/services/ee/users/update_service_spec.rb
+++ b/ee/spec/services/ee/users/update_service_spec.rb
@@ -101,6 +101,26 @@ RSpec.describe Users::UpdateService do
          stub_licensed_features(admin_audit_log: true)
        end

+        context 'updating administrator status' do
+          let_it_be(:admin_user) { create(:admin) }
+
+          it 'logs making a user an administrator' do
+            expect do
+              update_user_as(admin_user, user, admin: true)
+            end.to change { AuditEvent.count }.by(1)
+
+            expect(AuditEvent.last.present.action).to eq('Changed admin status from false to true')
+          end
+
+          it 'logs making an administrator a user' do
+            expect do
+              update_user_as(admin_user, create(:admin), admin: false)
+            end.to change { AuditEvent.count }.by(1)
+
+            expect(AuditEvent.last.present.action).to eq('Changed admin status from true to false')
+          end
+        end
+
        context 'updating username' do
          it 'logs audit event' do
            previous_username = user.username