Log in... as some members (threat to privacy)

52 posts in this topic

Posted

In 3.3.x we have a new feature, via ACP I can login on board as desired member and check his/her permissions on board etc.

OK, pretty good, it can be usefull.

But in this case I have complete control over member's account what include reading of private messages.

Is that OK? I think some categories shouldn't be accessible for admin. What do you think?

Share this post


Link to post
Share on other sites

Posted

While it is an invasion of a members privacy, however is useful to check PMs IF that member was reported for PM advertising etc. (If you have a strict rule against PM advertising).

Share this post


Link to post
Share on other sites

Posted

Access to private messages should be disabled permanently.
Is the admin itching to read them? There is phpmyadmin for that purpose.

Pereira likes this

Share this post


Link to post
Share on other sites

Posted

They ain't personal messages though are they, they are only conversations, so that you can chose to speak to someone that way other than via the forums.

If we get reports of a user abusing the conversations system, ie threatening and abusive language. We need the ability to check it out, as we won't act unless we have proof.

Share this post


Link to post
Share on other sites

Posted


They ain't personal messages though are they, they are only conversations, so that you can chose to speak to someone that way other than via the forums.



If we get reports of a user abusing the conversations system, ie threatening and abusive language. We need the ability to check it out, as we won't act unless we have proof.


But then again, the member being "abusive" could just delete the conversations history on his/her end. :o

Share this post


Link to post
Share on other sites

Posted


Access to private messages should be disabled permanently.


Is the admin itching to read them? There is phpmyadmin for that purpose.




They are not and never were "private" messages and as you you point out may be accessed via the database anyway. Nothing has really changed...
AlexJ and TaffyCaffy like this

Share this post


Link to post
Share on other sites

Posted

The only private messages anyone have on my board are the ones NOT on my board.

Just like forum topics, all information becomes the property of the board owner.

Nothing is private unless it is encoded in the DB. so passwords are still private.

AndyF likes this

Share this post


Link to post
Share on other sites

Posted

You can always just ignore the newer feature. :) Ultimately there was a third party hook to do this on older versions anyway and its not that difficult to either read things in the db and / or temporarily change details to login as whatever member.

Aiwa likes this

Share this post


Link to post
Share on other sites

Posted


Ultimately there was a third party hook to do this on older versions anyway and its not that difficult to either read things in the db and / or temporarily change details to login as whatever member.



Yes, but there is something different.

You can use that hook or check PMs via phpMyAdmin - and NOBODY knows it

But when I will login via this new feature nick of that user (who currently I control) is visible in online list.
And someone other can see it and will ask that member:
"Hey were you on board yesterday evening?"
"Not, why?"
"I saw you online!"
"What? How is possible? Hey admin can you explain it?!"

Problem is, when admin will use this feature, everything is logged. It's dangerous for credibility. Generally feature is not bad, Admin can see or fix possible problems from member's view, but some things shouldn't be revealed.

Share this post


Link to post
Share on other sites

Posted


"Hey were you on board yesterday evening?"


"Not, why?"


"I saw you online!"


"What? How is possible? Hey admin can you explain it?!"


"Looks like a bug."

:P

Anyway I don't know what you're more worried about. Member's privacy or being caught.
Aiwa likes this

Share this post


Link to post
Share on other sites

Posted

I haven't used this feature yet, but does it allow you to log in annomously as that user? Then they won't show in the online list.

Or there is a hook that allows you to toggle visibility. As soon as you log in as them, go invisible.

Share this post


Link to post
Share on other sites

Posted

Logging in as a member via the ACP should have virtually no differences from logging in as that member normally. In the case of verifying that permissions are correctly set, etc., any discrepancies can be nightmarish.

Share this post


Link to post
Share on other sites

Posted

Keep in mind an admin can change a user's password to gain access or just simply directly-query the database. Granted this feature may make it a bit easier for an admin to access a user's information on their community but they have always been able to.

Share this post


Link to post
Share on other sites

Posted

Incidentally is it possible to use ACP restrcitions to only remove access to that one button?

Share this post


Link to post
Share on other sites

Posted



Anyway I don't know what you're more worried about. Member's privacy or being caught.



Do you have problems with understanding? This feature should help only for problems with accounts, not to gain whole access for administrator.

Share this post


Link to post
Share on other sites

Posted


Do you have problems with understanding? This feature should help only for problems with accounts, not to gain whole access for administrator.


Well, actually, your English isn't very fluent so I suppose I do have a problem understanding. Please forgive me.

I don't think you understand the complexities of what you're suggesting. There are just so many extra places IPS would have to add checks to to see if the session was logged in via admin which would just lead to a lot more bugs. It's such an impractical suggestion. Besides what if the account problem is with PMs specifically? There's a thread in the technical support board right now where someone has users who are claiming that they can't reply to PMs. How would we look into this issue if we had your restrictions in place? We couldn't. Again your suggestion is impractical.
Aiwa likes this

Share this post


Link to post
Share on other sites

Posted


Incidentally is it possible to use ACP restrcitions to only remove access to that one button?




Yes.

Share this post


Link to post
Share on other sites

Posted


There's a thread in the technical support board right now where someone has users who are claiming that they can't reply to PMs. How would we look into this issue if we had your restrictions in place? We couldn't.



I use IPB more than 8 years and nobody had problems with PMs. So in this case it should be issue on member's side. In 99% cases it makes problem with cookies, if not check personal settings for that members (any restrictions?) or group settings. Still nothing? Maybe browser issue? Try another. Easy from admin view. If you cannot fix it, you aren't probably good admin. By the way, you have had something with my english. Well english is not my mother language but I think it's still understable. You seems to be wise so I sent you PM in my language, you should understand (because you seems to be VERY wise) and we can carry on in my language in PMs because this topic already goes in other way.

Share this post


Link to post
Share on other sites

Posted (edited)

Nevermind.

Edited by Rimi

Share this post


Link to post
Share on other sites

Posted

So basically you can quickly and easily log into any members account at your own discretion? Does this mean you can just log into their account and post as them too?

Share this post


Link to post
Share on other sites

Posted


So basically you can quickly and easily log into any members account at your own discretion? Does this mean you can just log into their account and post as them too?


That's correct.

Share this post


Link to post
Share on other sites

Posted

%7Boption%7D

Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences:


Testing Permissions



[color=#141414]It can be a challenge to confirm that you have correctly set up a user’s permissions. To ease this, XenForo includes a Test Permissions system. You enter a user’s name and you will be shown the forum as if you applied the user’s permission to yourself.[/color]


[color=#141414]Please keep in mind the following caveats:[/color]

  • You are still logged in as yourself, not the user you’re testing as. You will not be able to see their conversations, watched threads, etc.
  • User-specific changes such as banning or discouragement will not affect you.
  • As the permissions are applied to you, if a permission grants you access to do something only to your own posts (such as editing), you can only edit posts that you made, not posts made by the test user.

[color=#141414]To exit permission testing, click the Permissions from Name text at the top of the page and confirm that you want to go back to your permissions.[/color]




This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals.

One step forward and two steps back it seems. :yawn:

Share this post


Link to post
Share on other sites

Posted


[img]

[/img]



Unbelievable that you would want to give admins such unfettered access to member accounts. I can't count how many ways this can be abused. Not only is it poorly implemented but your rivals have already had much better implementation of this, much earlier and here's the key differences:





This of course is the proper way to implement such a feature. I can't understand first off why you would give such control to admins and secondly, implement this in such a poor way especially when you've had a chance to better your rivals.



One step forward and two steps back it seems. :yawn:



.... hand-holding?
Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference?
What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?
TaffyCaffy likes this

Share this post


Link to post
Share on other sites

Posted


.... hand-holding?


Everything this tool does is already completely possible through database interaction.... i can absolutely manually add a post by member x, just as much as i can read every PM.... I ask, what is truly the difference?


What good does it do to not show the admin using the tool exactly and precisely what the user would see to a tee?




No password changes or access to a database is required to do any of this in this case. I have never wanted or had any reason to check a members permissions let alone read members personnel conversations. It's not only completely unnecessary but possibly raises more issues itself when put in the wrong hands. The natural reaction to this seems to be "just ignore it". This kind of exactitude is self explanatory I think.

Now look at my above post again and tell me honestly, which implementation is better? IPB or XenForo.

Share this post


Link to post
Share on other sites

Posted

%7Boption%7D
Wrong hands.... quite precisely.... IPB has a rather robust feature-set regarding both managing members and controlling who can manage them...... I still think for full testing purposes, especially with third-party apps, which primarily depend on the SHOWN member id... ergo, you need to ACTUALLY be logged in with x mem id to see y, it is imperative to not alter what is shown, which is why I at this time answer IPB.... the only right way to do that is to ACTUALLY log the user in as x member, especially when it has to take into account both groups settings and permissions for that specific user across all apps.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.