ChristianC Posted March 31, 2011 Share Posted March 31, 2011 Well, I'm a bit bummed because today one of our admins clicked a link on the front page of his ACP and in doing so, he pruned every single one of our forum accounts, even my ROOT admin account (he was a regular admin). Essentially, what happened was that a user (Steph) who had limited ACP access was attempting to do a members prune. However, Steph was blocked from completing the prune when attempting to initiate it. The admin with full ACP access (Joshua) clicked the link in the screenshot below (taken from his history), assuming it would take him into the "members" page where Steph was. Little did he know, the link would result in a forum account prune without any parameters. He clicked the link and was booted from the ACP afterwards. All the forum accounts were deleted. As you can see in the actual link url, it clearly initiates the prune. For whatever reason, there were no confirmation screens or anything. Essentially, Joshua tried to navigate quickly through the ACP to where Steph was in it, but instead, pruned our entire forum! Link to comment Share on other sites More sharing options...
Robulosity2 Posted March 31, 2011 Share Posted March 31, 2011 How is this a software flaw? the software did what it was asked to do... The only flaw was giving out Super user permissions to someone who didn't know how to properly use the ACP Link to comment Share on other sites More sharing options...
ChristianC Posted March 31, 2011 Author Share Posted March 31, 2011 A single click from the front page of the Admin CP should not result in your entire board being pruned, no matter what. This happened without any confirmations or anything for the user who made that click. Link to comment Share on other sites More sharing options...
Robulosity2 Posted March 31, 2011 Share Posted March 31, 2011 A single click from the front page of the Admin CP should not result in your entire board being pruned, no matter what. This happened without any confirmations or anything for the user who made that click. Its a link to bring you to the action of the last thing they performed... That's what it's supposed to do, and that's what it does.. .You don't need 1001 "ARE YOU SURE" warnings, in an Administrative topology because You should be aware of what your doing before you do it Link to comment Share on other sites More sharing options...
Glumbo Posted March 31, 2011 Share Posted March 31, 2011 This is bad design. Should be fixed imo Link to comment Share on other sites More sharing options...
ChristianC Posted March 31, 2011 Author Share Posted March 31, 2011 Its a link to bring you to the action of the last thing they performed... That's what it's supposed to do, and that's what it does.. .You don't need 1001 "ARE YOU SURE" warnings, in an Administrative topology because You should be aware of what your doing before you do it How could he possibly have known what he was doing? Looking at the link extension when the mouse hovered over it? He was trying to navigate to the pruning page quickly. At least one confirmation is all that would have been needed. Are you expecting him to have memorized the url for a prune is? Even if he had noticed it, he probably would have clicked on it any way, expecting it to take him to a confirmation page. Link to comment Share on other sites More sharing options...
Mark Posted March 31, 2011 Share Posted March 31, 2011 Thanks for letting us know. I've filed a bug report: In future, feel free to submit any issues with the software directly to the bug tracker, or submit a support request in the client area :) Link to comment Share on other sites More sharing options...
Rοb Posted March 31, 2011 Share Posted March 31, 2011 Its a link to bring you to the action of the last thing they performed... That's what it's supposed to do, and that's what it does.. .You don't need 1001 "ARE YOU SURE" warnings, in an Administrative topology because You should be aware of what your doing before you do it Yes, it is a link to bring you to the area/section of the last action, not perform the action. Big difference there! So yes, this is without doubt a pretty serious flaw :thumbsup: Link to comment Share on other sites More sharing options...
bfarber Posted March 31, 2011 Share Posted March 31, 2011 I wouldn't consider this a "serious" flaw. The end result is serious for this user, yes, but given that this is the first time it has ever happened (to our knowledge, at least) it's obviously not something that comes up. We can add a check for the form submit to resolve this. Easy fix. Link to comment Share on other sites More sharing options...
Aisha Posted March 31, 2011 Share Posted March 31, 2011 Isn't it a bug though? The limited admin was trying to prune some members, and when the unlimited admin clicked the link they pruned all the members. Also, I'm sorry, but I find this situation to be hilarious..I'm a bad person. :( Link to comment Share on other sites More sharing options...
Management Charles Posted March 31, 2011 Management Share Posted March 31, 2011 Isn't it a bug though? The limited admin was trying to prune some members, and when the unlimited admin clicked the link they pruned all the members. Also, I'm sorry, but I find this situation to be hilarious..I'm a bad person. :( Yes which is why we will do a fix :) Brandon was just pointing out that's clear not a "critical" issue since we have never heard of this problem before and it's been like that for years :) Link to comment Share on other sites More sharing options...
Aisha Posted March 31, 2011 Share Posted March 31, 2011 Ah ok. Sorry about my misunderstanding. While we're on this topic, how about adding back the little line that says how many minutes ago an admins last click was? It was in 2.3.x if I recall correctly and really helped me be a pro stalker. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.