Jump to content

Log in... as some members (threat to privacy)


Axel Wers

Recommended Posts

In 3.3.x we have a new feature, via ACP I can login on board as desired member and check his/her permissions on board etc.

OK, pretty good, it can be usefull.

But in this case I have complete control over member's account what include reading of private messages.

Is that OK? I think some categories shouldn't be accessible for admin. What do you think?

Link to comment
Share on other sites

  • Replies 51
  • Created
  • Last Reply

They ain't personal messages though are they, they are only conversations, so that you can chose to speak to someone that way other than via the forums.

If we get reports of a user abusing the conversations system, ie threatening and abusive language. We need the ability to check it out, as we won't act unless we have proof.

Link to comment
Share on other sites


They ain't personal messages though are they, they are only conversations, so that you can chose to speak to someone that way other than via the forums.



If we get reports of a user abusing the conversations system, ie threatening and abusive language. We need the ability to check it out, as we won't act unless we have proof.


But then again, the member being "abusive" could just delete the conversations history on his/her end. :o
Link to comment
Share on other sites

The only private messages anyone have on my board are the ones NOT on my board.

Just like forum topics, all information becomes the property of the board owner.

Nothing is private unless it is encoded in the DB. so passwords are still private.

Link to comment
Share on other sites

You can always just ignore the newer feature. :) Ultimately there was a third party hook to do this on older versions anyway and its not that difficult to either read things in the db and / or temporarily change details to login as whatever member.

Link to comment
Share on other sites


Ultimately there was a third party hook to do this on older versions anyway and its not that difficult to either read things in the db and / or temporarily change details to login as whatever member.



Yes, but there is something different.

You can use that hook or check PMs via phpMyAdmin - and NOBODY knows it

But when I will login via this new feature nick of that user (who currently I control) is visible in online list.
And someone other can see it and will ask that member:
"Hey were you on board yesterday evening?"
"Not, why?"
"I saw you online!"
"What? How is possible? Hey admin can you explain it?!"

Problem is, when admin will use this feature, everything is logged. It's dangerous for credibility. Generally feature is not bad, Admin can see or fix possible problems from member's view, but some things shouldn't be revealed.
Link to comment
Share on other sites


"Hey were you on board yesterday evening?"


"Not, why?"


"I saw you online!"


"What? How is possible? Hey admin can you explain it?!"


"Looks like a bug."

:P

Anyway I don't know what you're more worried about. Member's privacy or being caught.
Link to comment
Share on other sites

I haven't used this feature yet, but does it allow you to log in annomously as that user? Then they won't show in the online list.

Or there is a hook that allows you to toggle visibility. As soon as you log in as them, go invisible.

Link to comment
Share on other sites

  • Management

Keep in mind an admin can change a user's password to gain access or just simply directly-query the database. Granted this feature may make it a bit easier for an admin to access a user's information on their community but they have always been able to.

Link to comment
Share on other sites


Do you have problems with understanding? This feature should help only for problems with accounts, not to gain whole access for administrator.


Well, actually, your English isn't very fluent so I suppose I do have a problem understanding. Please forgive me.

I don't think you understand the complexities of what you're suggesting. There are just so many extra places IPS would have to add checks to to see if the session was logged in via admin which would just lead to a lot more bugs. It's such an impractical suggestion. Besides what if the account problem is with PMs specifically? There's a thread in the technical support board right now where someone has users who are claiming that they can't reply to PMs. How would we look into this issue if we had your restrictions in place? We couldn't. Again your suggestion is impractical.
Link to comment
Share on other sites


There's a thread in the technical support board right now where someone has users who are claiming that they can't reply to PMs. How would we look into this issue if we had your restrictions in place? We couldn't.



I use IPB more than 8 years and nobody had problems with PMs. So in this case it should be issue on member's side. In 99% cases it makes problem with cookies, if not check personal settings for that members (any restrictions?) or group settings. Still nothing? Maybe browser issue? Try another. Easy from admin view. If you cannot fix it, you aren't probably good admin. By the way, you have had something with my english. Well english is not my mother language but I think it's still understable. You seems to be wise so I sent you PM in my language, you should understand (because you seems to be VERY wise) and we can carry on in my language in PMs because this topic already goes in other way.
Link to comment
Share on other sites

%7Boption%7D

Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences:


Testing Permissions



[color=#141414]It can be a challenge to confirm that you have correctly set up a user’s permissions. To ease this, XenForo includes a Test Permissions system. You enter a user’s name and you will be shown the forum as if you applied the user’s permission to yourself.[/color]


[color=#141414]Please keep in mind the following caveats:[/color]

  • You are still logged in as yourself, not the user you’re testing as. You will not be able to see their conversations, watched threads, etc.
  • User-specific changes such as banning or discouragement will not affect you.
  • As the permissions are applied to you, if a permission grants you access to do something only to your own posts (such as editing), you can only edit posts that you made, not posts made by the test user.

[color=#141414]To exit permission testing, click the Permissions from Name text at the top of the page and confirm that you want to go back to your permissions.[/color]




This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals.

One step forward and two steps back it seems. :yawn:
Link to comment
Share on other sites


[img]

[/img]



Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences:





This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals.



One step forward and two steps back it seems. :yawn:



.... hand-holding?
Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference?
What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?
Link to comment
Share on other sites


.... hand-holding?


Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference?


What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?




No password changes or access to a database is required to do any of this in this case. I have never wanted or had any reason to check a members permissions let alone read members personnel conversations. It's not only completely unnecessary but possibly raises more issues itself when put in the wrong hands. The natural reaction to this seems to be "just ignore it". This kind of exactitude is self explanatory I think.

Now look at my above post again and tell me honestly, which implementation is better? IPB or XenForo.
Link to comment
Share on other sites

%7Boption%7D
Wrong hands.... quite precisely.... IPB has a rather robust feature-set regarding both managing members and controlling who can manage them...... I still think for full testing purposes, especially with third-party apps, which primarily depend on the SHOWN member id... ergo, you need to ACTUALLY be logged in with x mem id to see y, it is imperative to not alter what is shown, which is why I at this time answer IPB.... the only right way to do that is to ACTUALLY log the user in as x member, especially when it has to take into account both groups settings and permissions for that specific user across all apps.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...