51 replies to this topic

[Axel Wers]

In 3.3.x we have a new feature, via ACP I can login on board as desired member and check his/her permissions on board etc.

OK, pretty good, it can be usefull.

But in this case I have complete control over member's account what include reading of private messages.

Is that OK? I think some categories shouldn't be accessible for admin. What do you think?

[Im#NuMBeR1]

While it is an invasion of a members privacy, however is useful to check PMs IF that member was reported for PM advertising etc. (If you have a strict rule against PM advertising).

[Misi]

Access to private messages should be disabled permanently.
Is the admin itching to read them? There is phpmyadmin for that purpose.

[dean84]

They ain't personal messages though are they, they are only conversations, so that you can chose to speak to someone that way other than via the forums.

If we get reports of a user abusing the conversations system, ie threatening and abusive language. We need the ability to check it out, as we won't act unless we have proof.

[Im#NuMBeR1]

They ain't personal messages though are they, they are only conversations, so that you can chose to speak to someone that way other than via the forums.

If we get reports of a user abusing the conversations system, ie threatening and abusive language. We need the ability to check it out, as we won't act unless we have proof.

But then again, the member being "abusive" could just delete the conversations history on his/her end.

[Hunting insects...]

Access to private messages should be disabled permanently.
Is the admin itching to read them? There is phpmyadmin for that purpose.

They are not and never were "private" messages and as you you point out may be accessed via the database anyway. Nothing has really changed...

[Aiwa]

The only private messages anyone have on my board are the ones NOT on my board.

Just like forum topics, all information becomes the property of the board owner.

Nothing is private unless it is encoded in the DB. so passwords are still private.

[ΑndyF]

You can always just ignore the newer feature. Ultimately there was a third party hook to do this on older versions anyway and its not that difficult to either read things in the db and / or temporarily change details to login as whatever member.

[Axel Wers]

Ultimately there was a third party hook to do this on older versions anyway and its not that difficult to either read things in the db and / or temporarily change details to login as whatever member.

Yes, but there is something different.

You can use that hook or check PMs via phpMyAdmin - and NOBODY knows it

But when I will login via this new feature nick of that user (who currently I control) is visible in online list.
And someone other can see it and will ask that member:
"Hey were you on board yesterday evening?"
"Not, why?"
"I saw you online!"
"What? How is possible? Hey admin can you explain it?!"

Problem is, when admin will use this feature, everything is logged. It's dangerous for credibility. Generally feature is not bad, Admin can see or fix possible problems from member's view, but some things shouldn't be revealed.

[Rimi]

"Hey were you on board yesterday evening?"
"Not, why?"
"I saw you online!"
"What? How is possible? Hey admin can you explain it?!"

"Looks like a bug."



Anyway I don't know what you're more worried about. Member's privacy or being caught.

[Aiwa]

I haven't used this feature yet, but does it allow you to log in annomously as that user? Then they won't show in the online list.

Or there is a hook that allows you to toggle visibility. As soon as you log in as them, go invisible.

[Con]

Logging in as a member via the ACP should have virtually no differences from logging in as that member normally. In the case of verifying that permissions are correctly set, etc., any discrepancies can be nightmarish.

[Charles]

Keep in mind an admin can change a user's password to gain access or just simply directly-query the database. Granted this feature may make it a bit easier for an admin to access a user's information on their community but they have always been able to.

[Rimi]

Incidentally is it possible to use ACP restrcitions to only remove access to that one button?

[Axel Wers]

Anyway I don't know what you're more worried about. Member's privacy or being caught.

Do you have problems with understanding? This feature should help only for problems with accounts, not to gain whole access for administrator.

[Rimi]

Do you have problems with understanding? This feature should help only for problems with accounts, not to gain whole access for administrator.

Well, actually, your English isn't very fluent so I suppose I do have a problem understanding. Please forgive me.

I don't think you understand the complexities of what you're suggesting. There are just so many extra places IPS would have to add checks to to see if the session was logged in via admin which would just lead to a lot more bugs. It's such an impractical suggestion. Besides what if the account problem is with PMs specifically? There's a thread in the technical support board right now where someone has users who are claiming that they can't reply to PMs. How would we look into this issue if we had your restrictions in place? We couldn't. Again your suggestion is impractical.

[Mark]

Incidentally is it possible to use ACP restrcitions to only remove access to that one button?

Yes.

[Axel Wers]

There's a thread in the technical support board right now where someone has users who are claiming that they can't reply to PMs. How would we look into this issue if we had your restrictions in place? We couldn't.

I use IPB more than 8 years and nobody had problems with PMs. So in this case it should be issue on member's side. In 99% cases it makes problem with cookies, if not check personal settings for that members (any restrictions?) or group settings. Still nothing? Maybe browser issue? Try another. Easy from admin view. If you cannot fix it, you aren't probably good admin. By the way, you have had something with my english. Well english is not my mother language but I think it's still understable. You seems to be wise so I sent you PM in my language, you should understand (because you seems to be VERY wise) and we can carry on in my language in PMs because this topic already goes in other way.

[Rimi]

Nevermind.

Edited by Rimi, 23 April 2012 - 08:43 AM.

[Pereira]

So basically you can quickly and easily log into any members account at your own discretion? Does this mean you can just log into their account and post as them too?