Changing a member's permission is not logged in Activity
Summary
When changing a group member's permission level, e.g. from Reporter to Developer, nothing is logged in the Activity log.
Steps to reproduce
- find a member in a group with the Reporter role
- change that member to the Developer role
- check the activity log to see if it was logged (for example: https://gitlab.com/groups/fdroid/activity)
Example Project
I changed uniqx in https://gitlab.com/groups/fdroid from Reporter to Developer, there is nothing in https://gitlab.com/groups/fdroid/activity Two weeks ago, someone else changed Bubu from Reporter to Developer and that is also not in the Activity log.
What is the current bug behavior?
(What actually happens)
What is the expected correct behavior?
All security-sensitive events should be logged in Activity. The security of an open, flexible system like this is based on keeping all activity visible.
Relevant logs and/or screenshots
https://gitlab.com/groups/fdroid/activity
Output of checks
This bug happens on GitLab.com
Possible fixes
Log all role/permission changes to the Activity log. Those events should also be sent to the various hooks so that they can be reported to IRC, Matrix, Slack, etc.