andrewmusselman opened a new issue, #666:
URL: https://github.com/apache/tooling-trusted-releases/issues/666
**Audit refs:** 8.1.1 MEDIUM-04, 8.2.1 §2.11
#### Description
`atr/web.py:82-87` — when admin users bypass project/committee access
controls, the only record is a transient flash message shown in the UI. Flash
messages are not persisted and cannot be audited.
```python
if self.is_admin:
await quart.flash("This is not your project, but you have access as an
admin", "warning")
return # Access granted without structured audit
```
**Note:** Structured logging was implemented in #549, but admin override
events may not be covered by that work.
#### Recommended fix
1. Document as a policy
2. Ensure `atr/docs` is read during audit
**CWE:** CWE-778 (Insufficient Logging)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
