While impersonating a different user, the action_events shows the impersonated user, implying the change was made by the impersonated user

[bmoex]

• Nova Version: 4.35.2

Summary

As the impersonation implementation is available for laravel nova, I've found a 'vulnerability' for invalid auditing. Impersonation works perfectly and has a beautiful way of showing impersonation.

However, while tracking our audit_actions, i've noticed invalid records for that user_id.
This can pollute this table with invalid data.

Details

When impersonating another user, the action_events writes the current user id (impersonated user) as 'owner' of that action.

Detailed steps to reproduce the issue on a fresh Nova installation

1. Implement impersonation for another nova user
2. Impersonate another nova user
3. Invoke a simple crud action

Impact

I expect this as low impact in general but as this is required by our security/privacy policy to be monitored. This has high impact for us.

Possible solution(s)

A) Use the id of the original impersonated in user_id
B) Add a column through_user_id with this impersonated id if available

[crynobone]

I believe this need to be study in detail before making a massive change. In the meantime, temporary you might want to look into overriding the AcrionEvent model or setting the user via Model Observer

[bmoex]

Yes, the model observer was our initial fix but I found it important to report as this should be a thing to think about.