Added logging of auth key changes, fixes #715

- Changing the auth key now creates a log entry that inclues the user's ID, e-mail address old and new autkeys
- Also removed the logging of the hashed password for newly created users

VERSION.json

@@ -1 +1 @@
-{"major":2, "minor":3, "hotfix":158}
+{"major":2, "minor":3, "hotfix":159}

app/Controller/UsersController.php

@@ -587,11 +587,17 @@ class UsersController extends AppController {
 			$this->Session->setFlash(__('Invalid id for user', true), 'default', array(), 'error');
 			$this->redirect(array('action' => 'view', $this->Auth->user('id')));
 		}
-		$this->User->read();
+		$user = $this->User->read();
+		$oldKey = $this->User->data['User']['authkey'];
 		if ('me' == $id ) $id = $this->Auth->user('id');
 		else if (!$this->_isSiteAdmin() && !($this->_isAdmin() && $this->Auth->user('org') == $this->User->data['User']['org']) && ($this->Auth->user('id') != $id)) throw new MethodNotAllowedException();
 		$newkey = $this->User->generateAuthKey();
 		$this->User->saveField('authkey', $newkey);
+		$this->__extralog(
+				'reset_auth_key', 
+				'Authentication key for user ' . $user['User']['id'] . ' (' . $user['User']['email'] . ')', 
+				$fieldsResult = 'authkey(' . $oldKey . ') => (' . $newkey . ')'
+		);
 		$this->Session->setFlash(__('New authkey generated.', true));
 		$this->_refreshAuth();
 		$this->redirect($this->referer());

app/Model/Log.php

@@ -32,7 +32,8 @@ class Log extends AppModel {
 							'update_database',
 							'version_warning',
 							'auth',
-							'auth_fail'
+							'auth_fail',
+							'reset_auth_key'
 						)),
 			'message' => 'Options : ...'
 		)

app/Model/User.php

@@ -218,7 +218,8 @@ class User extends AppModel {
 		'SysLogLogable.SysLogLogable' => array(	// TODO Audit, logable
 			'userModel' => 'User',
 			'userKey' => 'user_id',
-			'change' => 'full'
+			'change' => 'full',
+			'ignore' => array('password')
 		),
 		'Trim',
 		'Containable'