Jump to content


Photo
* * - - - 3 votes

Log in... as some members (threat to privacy)


  • Please log in to reply
51 replies to this topic

#21 Rimi

Rimi

    Strip Me

  • +Clients
  • 6,121 posts

Posted 23 April 2012 - 11:48 AM

So basically you can quickly and easily log into any members account at your own discretion? Does this mean you can just log into their account and post as them too?

That's correct.

#22 Pereira

Pereira

    Advanced Member

  • Members
  • PipPipPipPip
  • 429 posts

Posted 23 April 2012 - 12:17 PM

Posted Image

Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences:

Testing Permissions

It can be a challenge to confirm that you have correctly set up a user’s permissions. To ease this, XenForo includes a Test Permissions system. You enter a user’s name and you will be shown the forum as if you applied the user’s permission to yourself.
Please keep in mind the following caveats:

  • You are still logged in as yourself, not the user you’re testing as. You will not be able to see their conversations, watched threads, etc.
  • User-specific changes such as banning or discouragement will not affect you.
  • As the permissions are applied to you, if a permission grants you access to do something only to your own posts (such as editing), you can only edit posts that you made, not posts made by the test user.
To exit permission testing, click the Permissions from Name text at the top of the page and confirm that you want to go back to your permissions.


This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals.

One step forward and two steps back it seems. :yawn:

#23 Marcher Technologies

Marcher Technologies

    $life=FALSE;$code=TRUE;$time--;

  • +Clients
  • 11,761 posts

Posted 23 April 2012 - 12:48 PM

Posted Image

Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences:



This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals.

One step forward and two steps back it seems. :yawn:

.... hand-holding?
Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference?
What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?
  • TaffyCaffy likes this

#24 Pereira

Pereira

    Advanced Member

  • Members
  • PipPipPipPip
  • 429 posts

Posted 23 April 2012 - 01:16 PM

.... hand-holding?
Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference?
What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?


No password changes or access to a database is required to do any of this in this case. I have never wanted or had any reason to check a members permissions let alone read members personnel conversations. It's not only completely unnecessary but possibly raises more issues itself when put in the wrong hands. The natural reaction to this seems to be "just ignore it". This kind of exactitude is self explanatory I think.

Now look at my above post again and tell me honestly, which implementation is better? IPB or XenForo.

#25 Marcher Technologies

Marcher Technologies

    $life=FALSE;$code=TRUE;$time--;

  • +Clients
  • 11,761 posts

Posted 23 April 2012 - 01:26 PM

Posted Image
Wrong hands.... quite precisely.... IPB has a rather robust feature-set regarding both managing members and controlling who can manage them...... I still think for full testing purposes, especially with third-party apps, which primarily depend on the SHOWN member id... ergo, you need to ACTUALLY be logged in with x mem id to see y, it is imperative to not alter what is shown, which is why I at this time answer IPB.... the only right way to do that is to ACTUALLY log the user in as x member, especially when it has to take into account both groups settings and permissions for that specific user across all apps.

#26 Pereira

Pereira

    Advanced Member

  • Members
  • PipPipPipPip
  • 429 posts

Posted 23 April 2012 - 01:29 PM

What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?


If it's solely for checking permissions/settings then all of this can be done in the admin panel anyway. Why do I need to see your PM's in order to test such permissions?

To me, the way this has been implemented appears to be an easy way around actually creating a proper solution. i.e. a proper permission testing system and one where you can't read someones conversations and mislead a users activity.

#27 Rimi

Rimi

    Strip Me

  • +Clients
  • 6,121 posts

Posted 23 April 2012 - 01:29 PM

It's not like this feature wasn't available before either. People could always do it via a hook available in the marketplace.
  • Marcher Technologies likes this

#28 Marcher Technologies

Marcher Technologies

    $life=FALSE;$code=TRUE;$time--;

  • +Clients
  • 11,761 posts

Posted 23 April 2012 - 01:33 PM

If it's solely for checking permissions/settings then all of this can be done in the admin panel anyway. Why do I need to see your PM's in order to test such permissions?

To me, the way this has been implemented appears to be an easy way around actually creating a proper solution. i.e. a proper permission testing system and one where you can't read someones conversations and mislead a users activity.

Checking the settings is not checking they actually work Pereira, or that they are working as you understand them to in some cases.
If a user has a primary, several secondaries, and a perms set, any one of these could be contributing to something you are "certain" is set up correctly, but is not.

#29 Pereira

Pereira

    Advanced Member

  • Members
  • PipPipPipPip
  • 429 posts

Posted 23 April 2012 - 01:35 PM

Posted Image
Wrong hands.... quite precisely.... IPB has a rather robust feature-set regarding both managing members and controlling who can manage them...... I still think for full testing purposes, especially with third-party apps, which primarily depend on the SHOWN member id... ergo, you need to ACTUALLY be logged in with x mem id to see y, it is imperative to not alter what is shown, which is why I at this time answer IPB.... the only right way to do that is to ACTUALLY log the user in as x member.

So a system can't be created where you can log in to test a users permissions based on their member id and do so without having the ability to read conversations, mislead user activity etc..?


It's not like this feature wasn't available before either. People could always do it via a hook available in the marketplace.

Which is precisely where it should have remained.

#30 Pereira

Pereira

    Advanced Member

  • Members
  • PipPipPipPip
  • 429 posts

Posted 23 April 2012 - 01:37 PM

Checking the settings is not checking they actually work Pereira.

This cannot be done by creating a test user then?

#31 Marcher Technologies

Marcher Technologies

    $life=FALSE;$code=TRUE;$time--;

  • +Clients
  • 11,761 posts

Posted 23 April 2012 - 01:43 PM

>_< :unsure: I find this topic... frankly.... I'm so done here.
This can be discussed further obviously.... it is about no more than limiting the admins ability to quickly and effectively verify things are in order with a members account.
it is a tool, to be used, or not used at all.
I could go dredge up enough topics to make my head bleed open on the subject of not forcing admins to interact at the database level for such menial tasks, and the complaints thereof, but instead.... Have a Nice Day :) .
  • Lavo and TaffyCaffy like this

#32 The Heff

The Heff

    √-1 2^3 ∑ π

  • +Clients
  • 1,070 posts

Posted 23 April 2012 - 01:48 PM

Wow, so many admins here with a complex about seeing PMs. Are you a trustworthy admin? Then don't look at the PMs... Simple. ;)
  • dean84 and TaffyCaffy like this
Best one-liner ever...
 

I love me a good SEO topic.


East Midlands Stargazers | Moo-Haven Horse Rescue | Viva la Revolución Battlefield 4 Clan

#33 Lewis P

Lewis P

    *insert witty comment*

  • +Clients
  • 2,098 posts

Posted 23 April 2012 - 01:49 PM

Are you a trustworthy admin? Then don't look at the PMs... Simple. ;)


This. You obviously don't trust yourself or your other admins - and in that case, you (or they) shouldn't be the administrator of a website.
  • dean84, Lavo and TaffyCaffy like this

#34 Pereira

Pereira

    Advanced Member

  • Members
  • PipPipPipPip
  • 429 posts

Posted 23 April 2012 - 03:12 PM

I've made my position quite clear I think. Poor implementation and unnecessary (at least I can see no use for it).

You don't need to change any password or access any databases to read members PM's, imitate them and mislead their site activity.

Because I don't want this tho, apparently I shouldn't be running a website. :lol:

#35 Aiwa

Aiwa

    I code for fun

  • +Clients
  • 8,445 posts

Posted 23 April 2012 - 03:56 PM

EDIT:

I agree with The Heff... You seem to have a complex about PM's...

If you don't like the feature... Don't use it and make sure your other admins can't as well.

My Files and Support: aiwa.me

Have a gaming community?           Need Nexus Add-ons?                    Security

-Steam Profile Integration         -Automatic Ticket Creator              -Force password Reset

-Battlefield 4 Profile Integration -No Renewals (Sell trial memberships!) 

                                   -Support Request Menu

 
 
 


#36 The Heff

The Heff

    √-1 2^3 ∑ π

  • +Clients
  • 1,070 posts

Posted 23 April 2012 - 03:57 PM

(at least I can see no use for it)


And that's the key. So turn it off on your board.

I have used it on my board to diagnose issues already and, as a trusted admin, did not go near the PMs. Other admins clearly see a benefit of the feature and are making active use of it. Whether they are trustworthy and keep away from PMs is their business and you don't really need to worry about it.

Personally, even on another admins board I would not worry. Nothing sensitive will ever be communicated by me via PM and if they're really that interested in my messages, they could just ask. :P
Best one-liner ever...
 

I love me a good SEO topic.


East Midlands Stargazers | Moo-Haven Horse Rescue | Viva la Revolución Battlefield 4 Clan

#37 Pereira

Pereira

    Advanced Member

  • Members
  • PipPipPipPip
  • 429 posts

Posted 23 April 2012 - 07:56 PM

And that's the key. So turn it off on your board.

I have used it on my board to diagnose issues already and, as a trusted admin, did not go near the PMs. Other admins clearly see a benefit of the feature and are making active use of it. Whether they are trustworthy and keep away from PMs is their business and you don't really need to worry about it.

Personally, even on another admins board I would not worry. Nothing sensitive will ever be communicated by me via PM and if they're really that interested in my messages, they could just ask. :tongue:

You seem to be totally missing the point.

I'm not against the idea of a permissions testing system. As I've said before my issue is that it allows you to view conversations, act as the member and give a false representation of their activity all without having access to a database or changing a single password. A permissions/settings testing system should never require such access at admin level (this could all be done before by creating a test user anyway).

XenForo implemented it perfectly. Non invasive and does what it should only do i.e. test permissions and nothing else.
  • Misi likes this

#38 PPlanet

PPlanet

    IPB Full Member

  • +Clients
  • 191 posts

Posted 23 April 2012 - 11:33 PM

As I haven't updated and still run 3.1.4, can someone please confirm if I understand this new feature right please?

First question, are we talking of a feature that comes with 3.3.1 and not of a third party hook?

Second question, if so, can you post as one of your members with it?

Personally I don't see much need to read members' PMs (but I do understand that it may be handy in exceptional circumstances), but I often find myself posting on behalf of members (obviously with their knowledge), when someone like a sponsor for example just sends me the content of the post via email, or when I need to separate the contents of a single post, so I leave part of it in the original, and make a new post as that member in another location. Currently I use one of Dawpi's excellent mods to achieve that and now I'm trying to convince him to upgrade it. :smile: However, if that option is now part of IP.Board, that will sort things out.

I thank anyone confirming this in advance, as this function is probably the only thing holding my forum upgrade at this stage. Cheers.

#39 Rimi

Rimi

    Strip Me

  • +Clients
  • 6,121 posts

Posted 23 April 2012 - 11:37 PM

1) Its not a hook its built in

2) Yes you can post as members.

#40 PPlanet

PPlanet

    IPB Full Member

  • +Clients
  • 191 posts

Posted 24 April 2012 - 02:16 AM

1) Its not a hook its built in

2) Yes you can post as members.


Thank you, much appreciated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users