feat(auditlog): Add audit logs for file create/delete

Author: sakshamarora1

invenio_rdm_records/auditlog/__init__.py

@@ -0,0 +1,9 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2026 CERN.
+#
+# Invenio-RDM-Records is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""Audit log actions init."""

invenio_rdm_records/auditlog/actions.py

@@ -0,0 +1,44 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2026 CERN.
+#
+# Invenio-RDM-Records is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""Action registration via entrypoint function."""
+
+import marshmallow as ma
+from invenio_drafts_resources.auditlog.actions import BaseAuditLog
+from invenio_i18n import lazy_gettext as _
+
+from .context import FileContext
+
+
+class FileCreateAuditLog(BaseAuditLog):
+    """Audit log for file create."""
+
+    resource_type = "draft"
+
+    context = BaseAuditLog.context + [
+        FileContext(),
+    ]
+
+    id = "file.create"
+    message_template = _(
+        "User {user_id} created file {file_key} of {resource_type} {resource_id}."
+    )
+
+    metadata_schema = {
+        **BaseAuditLog.metadata_schema,
+        "file_key": ma.fields.String(required=True),
+    }
+
+
+class FileDeleteAuditLog(FileCreateAuditLog):
+    """Audit log for file delete."""
+
+    id = "file.delete"
+    message_template = _(
+        "User {user_id} deleted file {file_key} of {resource_type} {resource_id}."
+    )

invenio_rdm_records/auditlog/context.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2026 CERN.
+#
+# Invenio-RDM-Records is free software; you can redistribute it and/or
+# modify it under the terms of the MIT License; see LICENSE file for more
+# details.
+
+"""Audit log context resolvers."""
+
+from invenio_records.dictutils import dict_set
+
+
+class FileContext(object):
+    """Payload generator for setting file data."""
+
+    def __call__(self, data, **kwargs):
+        """Update data with file data."""
+        file_key = kwargs.get("file_key", None)
+        dict_set(data, "metadata.file_key", file_key)

invenio_rdm_records/services/access/service.py

@@ -16,6 +16,7 @@
 from flask import current_app
 from flask_login import current_user
 from invenio_access.permissions import authenticated_user, system_identity
+from invenio_audit_logs.services.uow import AuditLogOp
 from invenio_base import invenio_url_for
 from invenio_drafts_resources.services.records import RecordService
 from invenio_drafts_resources.services.records.uow import ParentRecordCommitOp
@@ -30,6 +31,14 @@
 from marshmallow.exceptions import ValidationError
 from sqlalchemy.orm.exc import NoResultFound
 
+from invenio_rdm_records.auditlog.actions import (
+    RDMDraftAccessSettingsAuditLog,
+    RDMDraftGrantAuditLog,
+    RDMDraftSecretLinkAuditLog,
+    RDMRecordAccessSettingsAuditLog,
+    RDMRecordGrantAuditLog,
+    RDMRecordSecretLinkAuditLog,
+)
 from invenio_rdm_records.notifications.builders import (
     GrantUserAccessNotificationBuilder,
     GuestAccessRequestTokenCreateNotificationBuilder,
@@ -222,6 +231,22 @@ def create_secret_link(self, identity, id_, data, links_config=None, uow=None):
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
         self._update_parent_request(parent, uow)
 
+        audit_log_builder = (
+            RDMRecordSecretLinkAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftSecretLinkAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before={},
+                    after=link.to_dict(),
+                    triggered_by=record,
+                )
+            )
+        )
         return self.link_result_item(
             self,
             identity,
@@ -301,6 +326,7 @@ def update_secret_link(
 
         link_idx = link_ids.index(link_id)
         link = parent.access.links[link_idx].resolve()
+        old_link = link.to_dict()
 
         # Validation
         data, __ = self.schema_secret_link.load(
@@ -323,6 +349,22 @@ def update_secret_link(
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
         self._update_parent_request(parent, uow)
 
+        audit_log_builder = (
+            RDMRecordSecretLinkAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftSecretLinkAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before=old_link,
+                    after=link.to_dict(),
+                    triggered_by=record,
+                )
+            )
+        )
         return self.link_result_item(
             self,
             identity,
@@ -353,6 +395,22 @@ def delete_secret_link(self, identity, id_, link_id, links_config=None, uow=None
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
         self._update_parent_request(parent, uow)
 
+        audit_log_builder = (
+            RDMRecordSecretLinkAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftSecretLinkAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before=link.to_dict(),
+                    after={},
+                    triggered_by=record,
+                )
+            )
+        )
         return True
 
     #
@@ -447,6 +505,22 @@ def bulk_create_grants(self, identity, id_, data, expand=False, uow=None):
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
         self._update_parent_request(parent, uow)
 
+        audit_log_builder = (
+            RDMRecordGrantAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftGrantAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before=[],
+                    after=[g.to_dict() for g in new_grants],
+                    triggered_by=record,
+                )
+            )
+        )
         return self.grants_result_list(
             self,
             identity,
@@ -542,6 +616,22 @@ def update_grant(
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
         self._update_parent_request(parent, uow)
 
+        audit_log_builder = (
+            RDMRecordGrantAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftGrantAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before=[old_grant.to_dict()],
+                    after=[new_grant.to_dict()],
+                    triggered_by=record,
+                )
+            )
+        )
         return self.grant_result_item(
             self,
             identity,
@@ -596,11 +686,27 @@ def delete_grant(self, identity, id_, grant_id, uow=None):
             raise PermissionDeniedError()
 
         # Deletion
-        parent.access.grants.pop(grant_id)
+        deleted_grant = parent.access.grants.pop(grant_id)
 
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
         self._update_parent_request(parent, uow)
 
+        audit_log_builder = (
+            RDMRecordGrantAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftGrantAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before=[deleted_grant.to_dict()],
+                    after=[],
+                    triggered_by=record,
+                )
+            )
+        )
         return True
 
     def _exists(self, created_by, record_id, request_type):
@@ -844,10 +950,28 @@ def update_access_settings(
         )
 
         # Update
+        old_settings = parent.access.settings.dump()
         setattr(parent.access, "settings", data)
 
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
 
+        audit_log_builder = (
+            RDMRecordAccessSettingsAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftAccessSettingsAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before=old_settings,
+                    after=parent.access.settings.dump(),
+                    triggered_by=record,
+                )
+            )
+        )
+
         return self.result_item(
             self,
             identity,
@@ -964,6 +1088,22 @@ def update_grant_by_subject(
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
         self._update_parent_request(parent, uow)
 
+        audit_log_builder = (
+            RDMRecordGrantAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftGrantAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before=[old_grant.to_dict()],
+                    after=[new_grant.to_dict()],
+                    triggered_by=record,
+                )
+            )
+        )
         return self.grant_result_item(
             self,
             identity,
@@ -995,4 +1135,20 @@ def delete_grant_by_subject(
         uow.register(ParentRecordCommitOp(parent, indexer_context=dict(service=self)))
         self._update_parent_request(parent, uow)
 
+        audit_log_builder = (
+            RDMRecordGrantAuditLog
+            if isinstance(record, self.record_cls)
+            else RDMDraftGrantAuditLog
+        )
+        uow.register(
+            AuditLogOp(
+                audit_log_builder.build(
+                    identity,
+                    parent.pid.pid_value,
+                    before=[result.to_dict()],
+                    after=[],
+                    triggered_by=record,
+                )
+            )
+        )
         return True

invenio_rdm_records/services/files/service.py

@@ -7,8 +7,14 @@
 
 """File Service API."""
 
+from invenio_audit_logs.services.uow import AuditLogOp
 from invenio_records_resources.services import FileService
+from invenio_records_resources.services.uow import unit_of_work
 
+from invenio_rdm_records.auditlog.actions import (
+    FileCreateAuditLog,
+    FileDeleteAuditLog,
+)
 from invenio_rdm_records.services.errors import RecordDeletedException
 
 
@@ -32,3 +38,23 @@ def _get_record(self, id_, identity, action, file_key=None):
         self._check_record_deleted_permissions(record, identity)
 
         return record
+
+    @unit_of_work()
+    def commit_file(self, identity, id_, file_key, uow=None):
+        """Commit a file upload."""
+        result = super().commit_file(identity, id_, file_key, uow=uow)
+
+        uow.register(
+            AuditLogOp(FileCreateAuditLog.build(identity, id_, file_key=file_key))
+        )  # Added here as audit logs can't be added to invenio-records-resources
+        return result
+
+    @unit_of_work()
+    def delete_file(self, identity, id_, file_key, uow=None):
+        """Delete a file."""
+        result = super().delete_file(identity, id_, file_key, uow=uow)
+
+        uow.register(
+            AuditLogOp(FileDeleteAuditLog.build(identity, id_, file_key=file_key))
+        )  # Added here as audit logs can't be added to invenio-records-resources
+        return result

setup.cfg

@@ -41,14 +41,15 @@ install_requires =
     invenio-base>=2.3.0,<3.0.0
     invenio-checks>=7.0.0,<8.0.0
     invenio-communities>=25.0.0,<26.0.0
-    invenio-drafts-resources>=8.0.0,<9.0.0
+    invenio-drafts-resources>=9.0.0,<10.0.0
     invenio-records-resources>=9.0.0,<10.0.0
     invenio-i18n>=3.0.0,<4.0.0
     invenio-jobs>=8.0.0,<9.0.0
     invenio-oaiserver>=4.0.0,<5.0.0
     invenio-oauth2server>=4.0.0,<5.0.0
     invenio-stats>=6.0.0,<7.0.0
     invenio-vocabularies>=11.0.0,<12.0.0
+    invenio-audit-logs>=2.0.0,<3.0.0
     nameparser>=1.1.1
     pycountry>=22.3.5
     pydash>=6.0.0,<7.0.0
@@ -147,6 +148,9 @@ invenio_users_resources.moderation.actions =
     approve = invenio_rdm_records.requests.user_moderation.actions:on_approve
 invenio_jobs.jobs =
     update_expired_embargos = invenio_rdm_records.jobs.jobs:update_expired_embargos_cls
+invenio_audit_logs.actions =
+    file.create = invenio_rdm_records.auditlog.actions:FileCreateAuditLog
+    file.delete = invenio_rdm_records.auditlog.actions:FileDeleteAuditLog
 
 [build_sphinx]
 source-dir = docs/