Jump to content

Log in... as some members (threat to privacy)


Axel Wers

Recommended Posts


What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?




If it's solely for checking permissions/settings then all of this can be done in the admin panel anyway. Why do I need to see your PM's in order to test such permissions?

To me, the way this has been implemented appears to be an easy way around actually creating a proper solution. i.e. a proper permission testing system and one where you can't read someones conversations and mislead a users activity.
Link to comment
Share on other sites

  • Replies 51
  • Created
  • Last Reply

If it's solely for checking permissions/settings then all of this can be done in the admin panel anyway. Why do I need to see your PM's in order to test such permissions?



To me, the way this has been implemented appears to be an easy way around actually creating a proper solution. i.e. a proper permission testing system and one where you can't read someones conversations and mislead a users activity.



Checking the settings is not checking they actually work Pereira, or that they are working as you understand them to in some cases.
If a user has a primary, several secondaries, and a perms set, any one of these could be contributing to something you are "certain" is set up correctly, but is not.
Link to comment
Share on other sites


[img]

[/img]


Wrong hands.... quite precisely.... IPB has a rather robust feature-set regarding both managing members and controlling who can manage them...... I still think for full testing purposes, especially with third-party apps, which primarily depend on the SHOWN member id... ergo, you need to ACTUALLY be logged in with x mem id to see y, it is imperative to not alter what is shown, which is why I at this time answer IPB.... the only right way to do that is to ACTUALLY log the user in as x member.



So a system can't be created where you can log in to test a users permissions based on their member id and do so without having the ability to read conversations, mislead user activity etc..?



It's not like this feature wasn't available before either. People could always do it via a hook available in the marketplace.



Which is precisely where it should have remained.
Link to comment
Share on other sites

>_< :unsure: I find this topic... frankly.... I'm so done here.
This can be discussed further obviously.... it is about no more than limiting the admins ability to quickly and effectively verify things are in order with a members account.
it is a tool, to be used, or not used at all.
I could go dredge up enough topics to make my head bleed open on the subject of not forcing admins to interact at the database level for such menial tasks, and the complaints thereof, but instead.... Have a Nice Day :) .

Link to comment
Share on other sites

I've made my position quite clear I think. Poor implementation and unnecessary (at least I can see no use for it).

You don't need to change any password or access any databases to read members PM's, imitate them and mislead their site activity.

Because I don't want this tho, apparently I shouldn't be running a website. :lol:

Link to comment
Share on other sites


(at least I can see no use for it)




And that's the key. So turn it off on your board.

I have used it on my board to diagnose issues already and, as a trusted admin, did not go near the PMs. Other admins clearly see a benefit of the feature and are making active use of it. Whether they are trustworthy and keep away from PMs is their business and you don't really need to worry about it.

Personally, even on another admins board I would not worry. Nothing sensitive will ever be communicated by me via PM and if they're really that interested in my messages, they could just ask. :P
Link to comment
Share on other sites


And that's the key. So turn it off on your board.



I have used it on my board to diagnose issues already and, as a trusted admin, did not go near the PMs. Other admins clearly see a benefit of the feature and are making active use of it. Whether they are trustworthy and keep away from PMs is their business and you don't really need to worry about it.



Personally, even on another admins board I would not worry. Nothing sensitive will ever be communicated by me via PM and if they're really that interested in my messages, they could just ask. :tongue:



You seem to be totally missing the point.

I'm not against the idea of a permissions testing system. As I've said before my issue is that it allows you to view conversations, act as the member and give a false representation of their activity all without having access to a database or changing a single password. A permissions/settings testing system should never require such access at admin level (this could all be done before by creating a test user anyway).

XenForo implemented it perfectly. Non invasive and does what it should only do i.e. test permissions and nothing else.
Link to comment
Share on other sites

As I haven't updated and still run 3.1.4, can someone please confirm if I understand this new feature right please?

First question, are we talking of a feature that comes with 3.3.1 and not of a third party hook?

Second question, if so, can you post as one of your members with it?

Personally I don't see much need to read members' PMs (but I do understand that it may be handy in exceptional circumstances), but I often find myself posting on behalf of members (obviously with their knowledge), when someone like a sponsor for example just sends me the content of the post via email, or when I need to separate the contents of a single post, so I leave part of it in the original, and make a new post as that member in another location. Currently I use one of Dawpi's excellent mods to achieve that and now I'm trying to convince him to upgrade it. :smile: However, if that option is now part of IP.Board, that will sort things out.

I thank anyone confirming this in advance, as this function is probably the only thing holding my forum upgrade at this stage. Cheers.

Link to comment
Share on other sites

If you want to read user PMs, that's easy to do without this future. I can think of several bugs related to private club blogs where this would have been helpful in resolving things and saved having to file a ticket with IPS.

I run a mental health support forum and have on a couple of occasions had to deal with sexual preditors looking to prey on abuse victims. You can bet your ass I read all their PMs. There are several occaisions where a forum admin might even have the legal obligation to read PMs if there is illegal activity.

One of the general rules of the internet is to assume that any unencrypted text can be read by anyone anywhere anyway.

Link to comment
Share on other sites

Guys,

Firstly, this was a feature of IP.Nexus already. We moved it to IP.Board, where it makes more sense, because there is often a need beyond just checking a user's client area (you may need to verify why they have trouble uploading a profile image, or they may be claiming "the editor isn't working" and you need to take a look for instance).

Secondly, you don't have to use it, you can hide it from your admins, etc.

Thirdly, you've always been able to simply change a member's password in the ACP and log in as them on the front end. In fact, this was the previous method of testing a user's account, and was inconvenient and required you to change their password (or obtain it from them), both of which are less than idea.

And finally, there are a million things beyond permissions that you may need to test. What if they say they get an error trying to submit a reputation on a post? What if they say they are following something but aren't getting emails? You might want to verify what they are following and their notification preferences. What if the member can't upload a profile image? Do they get an error? Image too big? There are a lot of things you may decide you need to test as the member to find the problem, the tool is not just for permissions and permissions alone.

Link to comment
Share on other sites


I haven't used this feature yet, but does it allow you to log in annomously as that user? Then they won't show in the online list.



Or there is a hook that allows you to toggle visibility. As soon as you log in as them, go invisible.





Hi my name is Jan,

This is strange that I have come here, which I usually do to read about how this or that works.
I have been wanting to do just that, what stated by oringinal poster, for a long time now, I did last year ask my Developer
but he said it wasn't possible, but now that I see it is "please" can somone explain it to me, I am Jan I run, and am the Root Admin. @
"bipolar4lifesupport"

I had a severe problem last year I could see in my Admin. CP by the bar graph, that there was much activity during these months with the issues per certain members!

Ok, BTW: How can i access this feature, to beable to "log in invisible & preview those lurkers PM," I would only do this under certain circumstances ex... one of my long term members started to flame and just bash people (me).
I then within two months lost like 10 of my most popular members good friends, and further more had no New Registrations for 5 months.
I mean it was like a grave yard.

I need that option. Can someone please tell me how to log in invisible, and how, if next time I can check someones PM's?
Sorry for the "long" story line, but I can't have that happen again. Thank you
Jan

Have Faith
Give More
Expect Less
B True 2 U !
Link to comment
Share on other sites

THREAD HIJACKER! :-P

You'd have to have 3.3.x IP.Board to log in as the member and a hook available from the marketplace to simply toggle your visibility (stealth mode!).. Both of which are only accessible to the license holder. You don't appear to be logged in as that account, so you'd have to get the license holders account to do it.

Link to comment
Share on other sites

The funny thing is if someone thinks that being able to easily access PMs is a privacy issue (not like it wasn't easy before anyway), why not just NOT DO IT?

The fact that someone might be battling themselves from viewing PMs given the option to view them or not, suggests that, possibly, they really do want to view the PMs, yet simultaneously believe that they shouldn't. In which case, the issue seems to primarily be with that person, and not the system. Sort that out!

The ability to view IP addresses might also be perceived by some as a privacy issue, possibly a bigger one, but I don't see as many complaints about that yet.

Link to comment
Share on other sites

The issue is that people are less likely to join such forums. I know I would never join a forum if an admin was known for abusing these kinds of powers. In fact I don't discuss private things in 3.3 pms anymore. I ask my friends for messenger contacts now..just paranoia.

Link to comment
Share on other sites


The issue is that people are less likely to join such forums. I know I would never join a forum if an admin was known for abusing these kinds of powers. In fact I don't discuss private things in 3.3 pms anymore. I ask my friends for messenger contacts now..just paranoia.




Oh, if the concern is about other admins, that's different. Still, if the things you're discussing are of such a nature that you wouldn't want an admin reading them, don't post it there regardless of how easy it is to access PMs. ;)
Link to comment
Share on other sites


Oh, if the concern is about other admins, that's different. Still, if the things you're discussing are of such a nature that you wouldn't want an admin reading them, don't post it there regardless of how easy it is to access PMs. ;)


This has become my approach now. When one of the sites I frequent upgraded I went ahead and deleted all my PMs. Again, it's just paranoia.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...