From e6d7a16ec0e9eb17ee6877a0cd11240fdcef1334 Mon Sep 17 00:00:00 2001
From: Luke Duncalfe <lduncalfe@eml.cc>
Date: Tue, 7 May 2024 15:47:36 +1200
Subject: [PATCH 1/3] Skip audit event on download of export, if silent

If the instance has enabled Silent Admin Exports, and the user who is
downloading the export is an admin we skip creating an audit event.

https://gitlab.com/gitlab-org/gitlab/-/issues/294168

Changelog: added
---
 ee/app/controllers/ee/projects_controller.rb  |  2 ++
 .../controllers/projects_controller_spec.rb   | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/ee/app/controllers/ee/projects_controller.rb b/ee/app/controllers/ee/projects_controller.rb
index 565c8419292ac3..eca12c7e91d063 100644
--- a/ee/app/controllers/ee/projects_controller.rb
+++ b/ee/app/controllers/ee/projects_controller.rb
@@ -202,6 +202,8 @@ def log_audit_event(message:, event_type:)
     end
 
     def log_download_export_audit_event
+      return if current_user.can_admin_all_resources? && ::Gitlab::CurrentSettings.silent_admin_exports_enabled?
+
       log_audit_event(message: 'Export file download started', event_type: 'project_export_file_download_started')
     end
 
diff --git a/ee/spec/controllers/projects_controller_spec.rb b/ee/spec/controllers/projects_controller_spec.rb
index 54a34f42e8bc18..b41de746e100aa 100644
--- a/ee/spec/controllers/projects_controller_spec.rb
+++ b/ee/spec/controllers/projects_controller_spec.rb
@@ -719,6 +719,25 @@
         let_it_be(:audit_name) { 'project_export_file_download_started' }
         let_it_be(:custom_message) { 'Export file download started' }
       end
+
+      context 'when user is admin', :enable_admin_mode do
+        let_it_be(:user) { create(:admin) }
+
+        it_behaves_like 'audit events with event type' do
+          let_it_be(:audit_name) { 'project_export_file_download_started' }
+          let_it_be(:custom_message) { 'Export file download started' }
+        end
+
+        context 'when silent exports enabled' do
+          before do
+            stub_application_setting(silent_admin_exports_enabled: true)
+          end
+
+          it 'does not log an audit event' do
+            expect { request }.not_to change { AuditEvent.count }
+          end
+        end
+      end
     end
 
     context 'when project export is disabled' do
-- 
GitLab


From fdd6e31f47d1b1fc0eddcdc35c7bd5fd469d1b3d Mon Sep 17 00:00:00 2001
From: Luke Duncalfe <lduncalfe@eml.cc>
Date: Wed, 15 May 2024 15:46:29 +1200
Subject: [PATCH 2/3] Update feature docs

---
 doc/administration/settings/import_and_export_settings.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/administration/settings/import_and_export_settings.md b/doc/administration/settings/import_and_export_settings.md
index 221bfb843bdf45..51d378bf3600c7 100644
--- a/doc/administration/settings/import_and_export_settings.md
+++ b/doc/administration/settings/import_and_export_settings.md
@@ -69,12 +69,13 @@ The same setting
 ## Enable silent admin exports
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151278) in GitLab 17.0 [with a flag](../../administration/feature_flags.md) named `export_audit_events`. Disabled by default.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152143) for file export downloads in GitLab 17.1
 
 FLAG:
 The availability of this feature is controlled by a feature flag. For more information, see the history.
 
 Enable silent admin exports to prevent [audit events](../audit_event_reports.md) when
-instance administrators trigger a [project or group file export](../../user/project/settings/import_export.md).
+instance administrators trigger a [project or group file export](../../user/project/settings/import_export.md) or download the export file.
 Exports from non-administrators still generate audit events.
 
 To enable silent admin project and group file exports:
-- 
GitLab


From 315cf39f8653e119d71d87259157e4e6a29a22a2 Mon Sep 17 00:00:00 2001
From: Luke Duncalfe <lduncalfe@gitlab.com>
Date: Wed, 15 May 2024 05:30:38 +0000
Subject: [PATCH 3/3] Apply 1 suggestion(s) to 1 file(s)

Co-authored-by: Evan Read <eread@gitlab.com>
---
 doc/administration/settings/import_and_export_settings.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/administration/settings/import_and_export_settings.md b/doc/administration/settings/import_and_export_settings.md
index 51d378bf3600c7..d139a90ef0e371 100644
--- a/doc/administration/settings/import_and_export_settings.md
+++ b/doc/administration/settings/import_and_export_settings.md
@@ -69,7 +69,7 @@ The same setting
 ## Enable silent admin exports
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/151278) in GitLab 17.0 [with a flag](../../administration/feature_flags.md) named `export_audit_events`. Disabled by default.
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152143) for file export downloads in GitLab 17.1
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152143) for file export downloads in GitLab 17.1.
 
 FLAG:
 The availability of this feature is controlled by a feature flag. For more information, see the history.
-- 
GitLab