Admin log - Non-repudiation - Security issue

Hello,

I would like to know how can I trace operations done by Seafile Admins. When an admin do some stuff on a library or on a user it seems that there no log of that anywhere… For example, if I’m connected with my admin account and decide to share or transfer a library of a user to another (me for example) this action isn’t log… I try on Seafile Pro edition 6.0.7.
I saw nothing in admin interface and nothing in server logs… I try to configure DEBUG mode but it seems to change nothing.
It’s a problem for the non-repudiation matter…

Another security issue… When we create a local account in Seafile, password is initialize manually or with some random function. The password is send by email to the user. When the user log in for the first time, Seafile offer the possibility to change the password but user is not obliged to do it, because he can type the same password… This password transit by email in plain-text and can be visibile. It would be better if the user was obliged to change it. I think it’s just a field verification to add.

Thank you.

2 Likes

We observed this issue too. @daniel.pan

If the admin shares a library of a user, it’s just not logged.

The admin operation log will be added in version 6.1 pro edition.

We will look into the issue.

Maybe you can also fix the mail logs. Currently only those being send when one wants to view a shared file where an email is required are being logged.

@shoeper And if a user gets invited / added through csv import.

@daniel.pan Thanks.