Rationale

OWASP Finding: _list container-resolved, but rendered old/new maps from AuditLogService.getAuditEvent(user, LIST_AUDIT_EVENT, rowId) global (cf=null); event never tied to list, event.getContainer() unchecked

The audit details action previously looked up audit events globally by row ID after resolving the requested list, which could allow an event from one list to be displayed in the context of another list. The fix tightens the lookup to the resolved list container and ensures the event is associated with the requested list before returning any record data

Related Pull Requests

• Add Selenium regression test for list audit detail testAutomation#3048

Changes

• Pass an explicit ContainerFilter.current(_list.getContainer(), user) to getAuditEvent so the lookup is anchored to the list's container even if the audit schema's default ContainerFilter is ever changed.
• Add ListAuditProvider.auditEventMatchesList() — verifies the event's listId and container match the URL-requested values. Treat any mismatch as "no details available" (same UX as the legitimate event-not-found path).
• Add ListAuditProvider.TestCase covering the predicate matrix: match, null event, wrong listId, wrong container, null event container. Registered in ListModule.getUnitTests.

Tasks 📍

• Claude Code Review
• Manual Testing
• Test Automation
• Verify Fix