Axel Wers Posted April 21, 2012 Share Posted April 21, 2012 In 3.3.x we have a new feature, via ACP I can login on board as desired member and check his/her permissions on board etc. OK, pretty good, it can be usefull. But in this case I have complete control over member's account what include reading of private messages. Is that OK? I think some categories shouldn't be accessible for admin. What do you think? Link to comment Share on other sites More sharing options...
Kyle F Posted April 21, 2012 Share Posted April 21, 2012 While it is an invasion of a members privacy, however is useful to check PMs IF that member was reported for PM advertising etc. (If you have a strict rule against PM advertising). Link to comment Share on other sites More sharing options...
Misi Posted April 21, 2012 Share Posted April 21, 2012 Access to private messages should be disabled permanently. Is the admin itching to read them? There is phpmyadmin for that purpose. Link to comment Share on other sites More sharing options...
dean84 Posted April 21, 2012 Share Posted April 21, 2012 They ain't personal messages though are they, they are only conversations, so that you can chose to speak to someone that way other than via the forums. If we get reports of a user abusing the conversations system, ie threatening and abusive language. We need the ability to check it out, as we won't act unless we have proof. Link to comment Share on other sites More sharing options...
Kyle F Posted April 21, 2012 Share Posted April 21, 2012 They ain't personal messages though are they, they are only conversations, so that you can chose to speak to someone that way other than via the forums. If we get reports of a user abusing the conversations system, ie threatening and abusive language. We need the ability to check it out, as we won't act unless we have proof.But then again, the member being "abusive" could just delete the conversations history on his/her end. :o Link to comment Share on other sites More sharing options...
Hunting insects... Posted April 21, 2012 Share Posted April 21, 2012 Access to private messages should be disabled permanently. Is the admin itching to read them? There is phpmyadmin for that purpose. They are not and never were "private" messages and as you you point out may be accessed via the database anyway. Nothing has really changed... Link to comment Share on other sites More sharing options...
Aiwa Posted April 21, 2012 Share Posted April 21, 2012 The only private messages anyone have on my board are the ones NOT on my board. Just like forum topics, all information becomes the property of the board owner. Nothing is private unless it is encoded in the DB. so passwords are still private. Link to comment Share on other sites More sharing options...
AndyF Posted April 21, 2012 Share Posted April 21, 2012 You can always just ignore the newer feature. :) Ultimately there was a third party hook to do this on older versions anyway and its not that difficult to either read things in the db and / or temporarily change details to login as whatever member. Link to comment Share on other sites More sharing options...
Axel Wers Posted April 21, 2012 Author Share Posted April 21, 2012 Ultimately there was a third party hook to do this on older versions anyway and its not that difficult to either read things in the db and / or temporarily change details to login as whatever member. Yes, but there is something different. You can use that hook or check PMs via phpMyAdmin - and NOBODY knows it But when I will login via this new feature nick of that user (who currently I control) is visible in online list. And someone other can see it and will ask that member: "Hey were you on board yesterday evening?" "Not, why?" "I saw you online!" "What? How is possible? Hey admin can you explain it?!" Problem is, when admin will use this feature, everything is logged. It's dangerous for credibility. Generally feature is not bad, Admin can see or fix possible problems from member's view, but some things shouldn't be revealed. Link to comment Share on other sites More sharing options...
Rimi Posted April 21, 2012 Share Posted April 21, 2012 "Hey were you on board yesterday evening?" "Not, why?" "I saw you online!" "What? How is possible? Hey admin can you explain it?!""Looks like a bug." :P Anyway I don't know what you're more worried about. Member's privacy or being caught. Link to comment Share on other sites More sharing options...
Aiwa Posted April 21, 2012 Share Posted April 21, 2012 I haven't used this feature yet, but does it allow you to log in annomously as that user? Then they won't show in the online list. Or there is a hook that allows you to toggle visibility. As soon as you log in as them, go invisible. Link to comment Share on other sites More sharing options...
connorhawke Posted April 21, 2012 Share Posted April 21, 2012 Logging in as a member via the ACP should have virtually no differences from logging in as that member normally. In the case of verifying that permissions are correctly set, etc., any discrepancies can be nightmarish. Link to comment Share on other sites More sharing options...
Management Charles Posted April 21, 2012 Management Share Posted April 21, 2012 Keep in mind an admin can change a user's password to gain access or just simply directly-query the database. Granted this feature may make it a bit easier for an admin to access a user's information on their community but they have always been able to. Link to comment Share on other sites More sharing options...
Rimi Posted April 21, 2012 Share Posted April 21, 2012 Incidentally is it possible to use ACP restrcitions to only remove access to that one button? Link to comment Share on other sites More sharing options...
Axel Wers Posted April 21, 2012 Author Share Posted April 21, 2012 Anyway I don't know what you're more worried about. Member's privacy or being caught. Do you have problems with understanding? This feature should help only for problems with accounts, not to gain whole access for administrator. Link to comment Share on other sites More sharing options...
Rimi Posted April 21, 2012 Share Posted April 21, 2012 Do you have problems with understanding? This feature should help only for problems with accounts, not to gain whole access for administrator.Well, actually, your English isn't very fluent so I suppose I do have a problem understanding. Please forgive me. I don't think you understand the complexities of what you're suggesting. There are just so many extra places IPS would have to add checks to to see if the session was logged in via admin which would just lead to a lot more bugs. It's such an impractical suggestion. Besides what if the account problem is with PMs specifically? There's a thread in the technical support board right now where someone has users who are claiming that they can't reply to PMs. How would we look into this issue if we had your restrictions in place? We couldn't. Again your suggestion is impractical. Link to comment Share on other sites More sharing options...
Mark Posted April 21, 2012 Share Posted April 21, 2012 Incidentally is it possible to use ACP restrcitions to only remove access to that one button? Yes. Link to comment Share on other sites More sharing options...
Axel Wers Posted April 23, 2012 Author Share Posted April 23, 2012 There's a thread in the technical support board right now where someone has users who are claiming that they can't reply to PMs. How would we look into this issue if we had your restrictions in place? We couldn't. I use IPB more than 8 years and nobody had problems with PMs. So in this case it should be issue on member's side. In 99% cases it makes problem with cookies, if not check personal settings for that members (any restrictions?) or group settings. Still nothing? Maybe browser issue? Try another. Easy from admin view. If you cannot fix it, you aren't probably good admin. By the way, you have had something with my english. Well english is not my mother language but I think it's still understable. You seems to be wise so I sent you PM in my language, you should understand (because you seems to be VERY wise) and we can carry on in my language in PMs because this topic already goes in other way. Link to comment Share on other sites More sharing options...
Rimi Posted April 23, 2012 Share Posted April 23, 2012 Nevermind. Link to comment Share on other sites More sharing options...
Pereira Posted April 23, 2012 Share Posted April 23, 2012 So basically you can quickly and easily log into any members account at your own discretion? Does this mean you can just log into their account and post as them too? Link to comment Share on other sites More sharing options...
Rimi Posted April 23, 2012 Share Posted April 23, 2012 So basically you can quickly and easily log into any members account at your own discretion? Does this mean you can just log into their account and post as them too?That's correct. Link to comment Share on other sites More sharing options...
Pereira Posted April 23, 2012 Share Posted April 23, 2012 Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences: Testing Permissions [color=#141414]It can be a challenge to confirm that you have correctly set up a user’s permissions. To ease this, XenForo includes a Test Permissions system. You enter a user’s name and you will be shown the forum as if you applied the user’s permission to yourself.[/color] [color=#141414]Please keep in mind the following caveats:[/color] You are still logged in as yourself, not the user you’re testing as. You will not be able to see their conversations, watched threads, etc. User-specific changes such as banning or discouragement will not affect you. As the permissions are applied to you, if a permission grants you access to do something only to your own posts (such as editing), you can only edit posts that you made, not posts made by the test user. [color=#141414]To exit permission testing, click the Permissions from Name text at the top of the page and confirm that you want to go back to your permissions.[/color] This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals. One step forward and two steps back it seems. :yawn: Link to comment Share on other sites More sharing options...
Marcher Technologies Posted April 23, 2012 Share Posted April 23, 2012 [img] [/img] Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences: This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals. One step forward and two steps back it seems. :yawn: .... hand-holding? Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference? What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee? Link to comment Share on other sites More sharing options...
Pereira Posted April 23, 2012 Share Posted April 23, 2012 .... hand-holding? Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference? What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee? No password changes or access to a database is required to do any of this in this case. I have never wanted or had any reason to check a members permissions let alone read members personnel conversations. It's not only completely unnecessary but possibly raises more issues itself when put in the wrong hands. The natural reaction to this seems to be "just ignore it". This kind of exactitude is self explanatory I think. Now look at my above post again and tell me honestly, which implementation is better? IPB or XenForo. Link to comment Share on other sites More sharing options...
Marcher Technologies Posted April 23, 2012 Share Posted April 23, 2012 Wrong hands.... quite precisely.... IPB has a rather robust feature-set regarding both managing members and controlling who can manage them...... I still think for full testing purposes, especially with third-party apps, which primarily depend on the SHOWN member id... ergo, you need to ACTUALLY be logged in with x mem id to see y, it is imperative to not alter what is shown, which is why I at this time answer IPB.... the only right way to do that is to ACTUALLY log the user in as x member, especially when it has to take into account both groups settings and permissions for that specific user across all apps. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.