PatrickRQ Posted April 25, 2022 Posted April 25, 2022 Hello, We have different levels of permissions in our admin structure. I want to provide support of signing as other member to specific users but problem is they can sign as highest admin account. There should be setting to block specific users/groups from ability of signing as.
Randy Calvert Posted April 25, 2022 Posted April 25, 2022 If you create an unrestricted admin, they'll have permission to access the function and anything else. You want to create a restricted admin and grant the specific member privilege to sign in as a member. ACP > Members > Staff > Administrators Choose the person or group... set them as a RESTRICTED permission set, then go through what permissions they should have. To sign in as a member, choose "Can sign in as members".
Marc Posted April 26, 2022 Posted April 26, 2022 What you are saying there however is correct. If someone is given the ability to sign in as members, they will indeed have the ability to sign in as any member. Please feel free to add suggestions for changes on this within our suggestions area
PatrickRQ Posted April 26, 2022 Author Posted April 26, 2022 @Randy Calvert, it won't help. Using restricted access is designed to use specific admin permissions for specific member or group. Problem here is the "Sign as member" privilege which allows to sign as any member. let's say you give "assign as member" to your super mods or junior admins - they will be able to login as you - his majesty the king ^^ Sonya* 1
PatrickRQ Posted April 26, 2022 Author Posted April 26, 2022 @Marc Stridgen, feel free to move the topic to suggestions, no point to duplicate it.
PatrickRQ Posted June 15, 2022 Author Posted June 15, 2022 Can you address this issue in next update? please
Marc Posted June 15, 2022 Posted June 15, 2022 39 minutes ago, PatrickRQ said: Can you address this issue in next update? please We cannot guarentee when or even if a suggestion will make it to a final release unfortunately. I can tell you it certainly wont be in 4.7 as that is already in beta
Dll Posted June 15, 2022 Posted June 15, 2022 On 4/26/2022 at 9:04 AM, PatrickRQ said: @Randy Calvert, it won't help. Using restricted access is designed to use specific admin permissions for specific member or group. Problem here is the "Sign as member" privilege which allows to sign as any member. let's say you give "assign as member" to your super mods or junior admins - they will be able to login as you - his majesty the king ^^ Thing is, if you're concerned that by logging in as you they could do bad things, I wonder why you'd trust them to login as anyone, or indeed to login to the ACP at all?
Marc Posted June 15, 2022 Posted June 15, 2022 1 minute ago, Dll said: Thing is, if you're concerned that by logging in as you they could do bad things, I wonder why you'd trust them to login as anyone, or indeed to login to the ACP at all? I would tend to agree. You should be allowing only people you trust to access these areas
Sonya* Posted June 15, 2022 Posted June 15, 2022 32 minutes ago, Dll said: I wonder why you'd trust them to login as anyone Use case: moderator logs in as member to investigate the reported issue. Helpful to distinguish if the issue is reproducable e. g. permissions issue. Or if not, then probably browser-based. This helps to instruct the user further. Indeed the moderator should be able to login as member only, not as other moderator and not as admin. opentype and Markus Jung 1 1
Dll Posted June 15, 2022 Posted June 15, 2022 (edited) 22 minutes ago, Sonya* said: Use case: moderator logs in as member to investigate the reported issue. Helpful to distinguish if the issue is reproducable e. g. permissions issue. Or if not, then probably browser-based. This helps to instruct the user further. Indeed the moderator should be able to login as member only, not as other moderator and not as admin. But, if you look at it as if you're a member of that community - if someone is going to be able to login as me, then I expect that person to be trustworthy. If the owner of the community doesn't trust them to login to their account, why should I trust that person to login to my account? Edited June 15, 2022 by Dll
Sonya* Posted June 15, 2022 Posted June 15, 2022 1 minute ago, Dll said: If the owner of the community doesn't trust them to login to their account, why should I trust that person to login to my account? I do trust my moderators to login into member accounts to investigate the issues. But I do not want them to look into AdminCP with full permission: they should not be able to change something by accident, as they are technically unexperienced they should not be able to see payment history as this is not their business 😉 Markus Jung 1
Marc Posted June 15, 2022 Posted June 15, 2022 I think the point here is that the setting itself is not vulnerable. It does exactly what it says it does. The only thing that is vulnerable is the fact the person has been given those permissions. We have a suggestion in here for that to change, and I can certainly see your points there. However, as it stands at present, it would be wise not to set permissions for moderators based on how you believe it should work in the future. Jim M 1
Dll Posted June 15, 2022 Posted June 15, 2022 (edited) 1 hour ago, Sonya* said: I do trust my moderators to login into member accounts to investigate the issues. But I do not want them to look into AdminCP with full permission: they should not be able to change something by accident, as they are technically unexperienced they should not be able to see payment history as this is not their business 😉 That's different to the original question and your original post though. The original point was allowing staff to log in as one user but not as another one. That's not related to technical proficiency or the chance of them making a mistake, that's purely related to whether you trust them or not, in my opinion. Particularly bearing in mind that just because a super-mod could log in as an admin, it still wouldn't mean they had full access to the acp, as that's separate, as far as I'm aware. Edited June 15, 2022 by Dll
PatrickRQ Posted August 26, 2022 Author Posted August 26, 2022 @Marc Stridgen Can you please address this "issue" in upcoming update?
Randy Calvert Posted August 26, 2022 Posted August 26, 2022 There typically is not comments by staff on feature requests statuses. Simply watch the release notes to see if it was added. Asking for “updates” generally does not help. If this did super important to you, it’s most likely better to engage a 3rd party resource developer to implement on a custom basis for your community.
PatrickRQ Posted August 29, 2022 Author Posted August 29, 2022 I keep asking as I still treat it as vulnerability, even IPS does not 🙂
opentype Posted August 29, 2022 Posted August 29, 2022 (edited) By the way: if this is functionality is ever being changed, I would also suggest to add other options, like removing access to personal messages, which are “personal” by definition and not something moderators should ever get access to. Frankly, I wouldn’t mind having that functionality removed altogether. I would feel much better if I could tell my members “there is no easy way to access messages” than to say “It’s actually super easy, but trust me, I am not going to (mis-)use it”. Edited August 29, 2022 by opentype
Nathan Explosion Posted August 29, 2022 Posted August 29, 2022 Randy Calvert, SeNioR- and Martin A. 3
Recommended Posts