Chris Anderson Posted May 16, 2018 Share Posted May 16, 2018 I will be launching a website utilizing IPB Software that may have many high profile business people become members. I would like to create an environment where they would feel comfortable using the message system to communicate with each other knowing I don't have the ready means to read their messages and have access to their email addresses. As the software stands now, I am able to login as one of these individuals and read their email or I could create a copy of the MYSQL database and programmatically read emails as the database fields related to messages utilize a password I know. Is there a way to have a separate password just for the message database fields. This password would be inputted by a trusted third party. and stored on the server in a way that I couldn't use it on a copied database unless I had the third party provide the 2nd password. Once the plugin was installed it would ask for the 2nd account name and password and then run code to change over to the new account. The plugin would then require two passwords in order to be removed. I would also need the plugin to remove "login as another member" functionality and my ability to view the email address of any member. The plugin would have to remain in order for messaging to work and the code be sufficiently obfuscated to prevent someone readily designing a workaround or figuring out the 2nd password. To simplify things the plugin would be installed on a fresh install so you wouldn't have to deal with existing users and data other than what is created for the default admin account. If this sounds like something you could do please let me know what you would charge and an estimated time-frame to complete the project. Link to comment
Pete T Posted May 16, 2018 Share Posted May 16, 2018 45 minutes ago, Christopher Anderson said: I will be launching a website utilizing IPB Software that may have many high profile business people become members. I would like to create an environment where they would feel comfortable using the message system to communicate with each other knowing I don't have the ready means to read their messages and have access to their email addresses. As the software stands now, I am able to login as one of these individuals and read their email or I could create a copy of the MYSQL database and programmatically read emails as the database fields related to messages utilize a password I know. Is there a way to have a separate password just for the message database fields. This password would be inputted by a trusted third party. and stored on the server in a way that I couldn't use it on a copied database unless I had the third party provide the 2nd password. Once the plugin was installed it would ask for the 2nd account name and password and then run code to change over to the new account. The plugin would then require two passwords in order to be removed. I would also need the plugin to remove "login as another member" functionality and my ability to view the email address of any member. The plugin would have to remain in order for messaging to work and the code be sufficiently obfuscated to prevent someone readily designing a workaround or figuring out the 2nd password. To simplify things the plugin would be installed on a fresh install so you wouldn't have to deal with existing users and data other than what is created for the default admin account. If this sounds like something you could do please let me know what you would charge and an estimated time-frame to complete the project. i know looking for plugin or app but why not allow users to use Two Factor Authentication this would stop admin trying login (no idea why would) and the database can't be copied in 4.3.x as that option removed from admin cp unlike 3.4.x. Link to comment
Chris Anderson Posted May 16, 2018 Author Share Posted May 16, 2018 As shown in the screenshots I can easily see the email address of a person and login and read their mail with a few simple clicks. The marketplace has several apps that allow an admin to readily read messages or programmatically screen mailboxes for certain content. I wouldn't do anything with the email addresses or try to read messages but that is hard to prove hence my interest in coming up with a solution that that would prevent it programmatically. Link to comment
Pete T Posted May 17, 2018 Share Posted May 17, 2018 9 hours ago, Christopher Anderson said: As shown in the screenshots I can easily see the email address of a person and login and read their mail with a few simple clicks. The marketplace has several apps that allow an admin to readily read messages or programmatically screen mailboxes for certain content. I wouldn't do anything with the email addresses or try to read messages but that is hard to prove hence my interest in coming up with a solution that that would prevent it programmatically. That why said look at two factor authentication this should reduce need any plugin could be disabled again via admin cp but if don't work I look see how that option could be hidden Link to comment
gabs007 Posted May 23, 2018 Share Posted May 23, 2018 You can limit the admin abilities on the dashboard for a particular administrator. Members - Staff - Administrators Select the administrator account - Edit Then go to members - and uncheck this option: "Can sign in as members " So the administrator won't be able to login as members. You can also check and uncheck a bunch of other features to limit the admin capabilities Link to comment
Chris Anderson Posted May 23, 2018 Author Share Posted May 23, 2018 54 minutes ago, gabs007 said: You can limit the admin abilities on the dashboard for a particular administrator. Members - Staff - Administrators Select the administrator account - Edit Then go to members - and uncheck this option: "Can sign in as members " So the administrator won't be able to login as members. You can also check and uncheck a bunch of other features to limit the admin capabilities I appreciate your suggestion but remember "I" can't be trusted. I might reverse the setting. There is the possibility that no one will put up a fuss about this but if they should I would like to be able to have a ready solution that I could implement. Link to comment
Pete T Posted May 23, 2018 Share Posted May 23, 2018 4 hours ago, Christopher Anderson said: I appreciate your suggestion but remember "I" can't be trusted. I might reverse the setting. There is the possibility that no one will put up a fuss about this but if they should I would like to be able to have a ready solution that I could implement. Your idea will not solve the issue let take the above example its allowing the owner setup the correct settings that could be turn off/on no via the default settings made by IPS the tools that come as default vs a having plugin installed or application that could be removed or disabled by admin it the same problem as the first example. So to solve your problem if don't trust your admin that may read or may not read PM then have limited usergroup setup will resolve your problem, you might see that as best way but hook will not stop the problem. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.