Critical Software Flaw - All Forum Accounts Pruned in one click

[ChristianC]

Well, I'm a bit bummed because today one of our admins clicked a link on the front page of his ACP and in doing so, he pruned every single one of our forum accounts, even my ROOT admin account (he was a regular admin).

Essentially, what happened was that a user (Steph) who had limited ACP access was attempting to do a members prune. However, Steph was blocked from completing the prune when attempting to initiate it.

The admin with full ACP access (Joshua) clicked the link in the screenshot below (taken from his history), assuming it would take him into the "members" page where Steph was. Little did he know, the link would result in a forum account prune without any parameters. He clicked the link and was booted from the ACP afterwards. All the forum accounts were deleted.

As you can see in the actual link url, it clearly initiates the prune. For whatever reason, there were no confirmation screens or anything. Essentially, Joshua tried to navigate quickly through the ACP to where Steph was in it, but instead, pruned our entire forum!

[Robulosity2]

How is this a software flaw? the software did what it was asked to do... The only flaw was giving out Super user permissions to someone who didn't know how to properly use the ACP

[ChristianC]

A single click from the front page of the Admin CP should not result in your entire board being pruned, no matter what. This happened without any confirmations or anything for the user who made that click.

[Robulosity2]

A single click from the front page of the Admin CP should not result in your entire board being pruned, no matter what. This happened without any confirmations or anything for the user who made that click.

Its a link to bring you to the action of the last thing they performed... That's what it's supposed to do, and that's what it does.. .You don't need 1001 "ARE YOU SURE" warnings, in an Administrative topology because
You should be aware of what your doing before you do it

[Glumbo]

This is bad design. Should be fixed imo

[ChristianC]

Its a link to bring you to the action of the last thing they performed... That's what it's supposed to do, and that's what it does.. .You don't need 1001 "ARE YOU SURE" warnings, in an Administrative topology because

You should be aware of what your doing before you do it

How could he possibly have known what he was doing? Looking at the link extension when the mouse hovered over it? He was trying to navigate to the pruning page quickly. At least one confirmation is all that would have been needed.

Are you expecting him to have memorized the url for a prune is? Even if he had noticed it, he probably would have clicked on it any way, expecting it to take him to a confirmation page.

[Mark]

Thanks for letting us know. I've filed a bug report:

In future, feel free to submit any issues with the software directly to the bug tracker, or submit a support request in the client area :)

[Rοb]

Its a link to bring you to the action of the last thing they performed... That's what it's supposed to do, and that's what it does.. .You don't need 1001 "ARE YOU SURE" warnings, in an Administrative topology because

You should be aware of what your doing before you do it

Yes, it is a link to bring you to the area/section of the last action, not perform the action.

Big difference there! So yes, this is without doubt a pretty serious flaw :thumbsup:

[bfarber]

I wouldn't consider this a "serious" flaw. The end result is serious for this user, yes, but given that this is the first time it has ever happened (to our knowledge, at least) it's obviously not something that comes up.

We can add a check for the form submit to resolve this. Easy fix.

[Aisha]

Isn't it a bug though? The limited admin was trying to prune some members, and when the unlimited admin clicked the link they pruned all the members.

Also, I'm sorry, but I find this situation to be hilarious..I'm a bad person. :(

[Charles]

Isn't it a bug though? The limited admin was trying to prune some members, and when the unlimited admin clicked the link they pruned all the members.

Also, I'm sorry, but I find this situation to be hilarious..I'm a bad person. :(

Yes which is why we will do a fix :)

Brandon was just pointing out that's clear not a "critical" issue since we have never heard of this problem before and it's been like that for years :)

[Aisha]

Ah ok. Sorry about my misunderstanding.

While we're on this topic, how about adding back the little line that says how many minutes ago an admins last click was? It was in 2.3.x if I recall correctly and really helped me be a pro stalker.