51 replies to this topic

[Rimi]

So basically you can quickly and easily log into any members account at your own discretion? Does this mean you can just log into their account and post as them too?

That's correct.

[Pereira]

Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences:

Testing Permissions

It can be a challenge to confirm that you have correctly set up a user’s permissions. To ease this, XenForo includes a Test Permissions system. You enter a user’s name and you will be shown the forum as if you applied the user’s permission to yourself.
Please keep in mind the following caveats:

• You are still logged in as yourself, not the user you’re testing as. You will not be able to see their conversations, watched threads, etc.
• User-specific changes such as banning or discouragement will not affect you.
• As the permissions are applied to you, if a permission grants you access to do something only to your own posts (such as editing), you can only edit posts that you made, not posts made by the test user.

To exit permission testing, click the Permissions from Name text at the top of the page and confirm that you want to go back to your permissions.

This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals.

One step forward and two steps back it seems.

[Marcher Technologies]

Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences:



This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals.

One step forward and two steps back it seems.

.... hand-holding?
Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference?
What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?

[Pereira]

.... hand-holding?
Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference?
What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?

No password changes or access to a database is required to do any of this in this case. I have never wanted or had any reason to check a members permissions let alone read members personnel conversations. It's not only completely unnecessary but possibly raises more issues itself when put in the wrong hands. The natural reaction to this seems to be "just ignore it". This kind of exactitude is self explanatory I think.

Now look at my above post again and tell me honestly, which implementation is better? IPB or XenForo.

[Marcher Technologies]

Wrong hands.... quite precisely.... IPB has a rather robust feature-set regarding both managing members and controlling who can manage them...... I still think for full testing purposes, especially with third-party apps, which primarily depend on the SHOWN member id... ergo, you need to ACTUALLY be logged in with x mem id to see y, it is imperative to not alter what is shown, which is why I at this time answer IPB.... the only right way to do that is to ACTUALLY log the user in as x member, especially when it has to take into account both groups settings and permissions for that specific user across all apps.

[Pereira]

What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?

If it's solely for checking permissions/settings then all of this can be done in the admin panel anyway. Why do I need to see your PM's in order to test such permissions?

To me, the way this has been implemented appears to be an easy way around actually creating a proper solution. i.e. a proper permission testing system and one where you can't read someones conversations and mislead a users activity.

[Rimi]

It's not like this feature wasn't available before either. People could always do it via a hook available in the marketplace.

[Marcher Technologies]

If it's solely for checking permissions/settings then all of this can be done in the admin panel anyway. Why do I need to see your PM's in order to test such permissions?

To me, the way this has been implemented appears to be an easy way around actually creating a proper solution. i.e. a proper permission testing system and one where you can't read someones conversations and mislead a users activity.

Checking the settings is not checking they actually work Pereira, or that they are working as you understand them to in some cases.
If a user has a primary, several secondaries, and a perms set, any one of these could be contributing to something you are "certain" is set up correctly, but is not.

[Pereira]

Wrong hands.... quite precisely.... IPB has a rather robust feature-set regarding both managing members and controlling who can manage them...... I still think for full testing purposes, especially with third-party apps, which primarily depend on the SHOWN member id... ergo, you need to ACTUALLY be logged in with x mem id to see y, it is imperative to not alter what is shown, which is why I at this time answer IPB.... the only right way to do that is to ACTUALLY log the user in as x member.

So a system can't be created where you can log in to test a users permissions based on their member id and do so without having the ability to read conversations, mislead user activity etc..?

It's not like this feature wasn't available before either. People could always do it via a hook available in the marketplace.

Which is precisely where it should have remained.

[Pereira]

Checking the settings is not checking they actually work Pereira.

This cannot be done by creating a test user then?

[Marcher Technologies]

I find this topic... frankly.... I'm so done here.
This can be discussed further obviously.... it is about no more than limiting the admins ability to quickly and effectively verify things are in order with a members account.
it is a tool, to be used, or not used at all.
I could go dredge up enough topics to make my head bleed open on the subject of not forcing admins to interact at the database level for such menial tasks, and the complaints thereof, but instead.... Have a Nice Day .

[The Heff]

Wow, so many admins here with a complex about seeing PMs. Are you a trustworthy admin? Then don't look at the PMs... Simple.

[Lewis P]

Are you a trustworthy admin? Then don't look at the PMs... Simple.

This. You obviously don't trust yourself or your other admins - and in that case, you (or they) shouldn't be the administrator of a website.

[Pereira]

I've made my position quite clear I think. Poor implementation and unnecessary (at least I can see no use for it).

You don't need to change any password or access any databases to read members PM's, imitate them and mislead their site activity.

Because I don't want this tho, apparently I shouldn't be running a website.

[Aiwa]

EDIT:

I agree with The Heff... You seem to have a complex about PM's...

If you don't like the feature... Don't use it and make sure your other admins can't as well.

[The Heff]

(at least I can see no use for it)

And that's the key. So turn it off on your board.

I have used it on my board to diagnose issues already and, as a trusted admin, did not go near the PMs. Other admins clearly see a benefit of the feature and are making active use of it. Whether they are trustworthy and keep away from PMs is their business and you don't really need to worry about it.

Personally, even on another admins board I would not worry. Nothing sensitive will ever be communicated by me via PM and if they're really that interested in my messages, they could just ask.

[Pereira]

And that's the key. So turn it off on your board.

I have used it on my board to diagnose issues already and, as a trusted admin, did not go near the PMs. Other admins clearly see a benefit of the feature and are making active use of it. Whether they are trustworthy and keep away from PMs is their business and you don't really need to worry about it.

Personally, even on another admins board I would not worry. Nothing sensitive will ever be communicated by me via PM and if they're really that interested in my messages, they could just ask.

You seem to be totally missing the point.

I'm not against the idea of a permissions testing system. As I've said before my issue is that it allows you to view conversations, act as the member and give a false representation of their activity all without having access to a database or changing a single password. A permissions/settings testing system should never require such access at admin level (this could all be done before by creating a test user anyway).

XenForo implemented it perfectly. Non invasive and does what it should only do i.e. test permissions and nothing else.

[PPlanet]

As I haven't updated and still run 3.1.4, can someone please confirm if I understand this new feature right please?

First question, are we talking of a feature that comes with 3.3.1 and not of a third party hook?

Second question, if so, can you post as one of your members with it?

Personally I don't see much need to read members' PMs (but I do understand that it may be handy in exceptional circumstances), but I often find myself posting on behalf of members (obviously with their knowledge), when someone like a sponsor for example just sends me the content of the post via email, or when I need to separate the contents of a single post, so I leave part of it in the original, and make a new post as that member in another location. Currently I use one of Dawpi's excellent mods to achieve that and now I'm trying to convince him to upgrade it. However, if that option is now part of IP.Board, that will sort things out.

I thank anyone confirming this in advance, as this function is probably the only thing holding my forum upgrade at this stage. Cheers.

[Rimi]

1) Its not a hook its built in

2) Yes you can post as members.

[PPlanet]

1) Its not a hook its built in

2) Yes you can post as members.

Thank you, much appreciated.