Become admin

Problem

1. Administrators may inadvertently access confidential parts of the forum
2. Such unwanted access are not being logged
3. Administrators may miss misconfiguration because of their superpowers hiding the normal experience to them

Feature description

In the same vein as the Impersonating a user feature. a user with admin privilege should be able to become admin to perform administrative tasks only when that is necessary.

Unlike the Impersonation feature, this feature should not require logging out to recover the normal user privileges.

This feature would:

1. allow administrators to browse the site as a normal user, sharing the daily experience of other users;
2. prevent admins from inadvertently accessing private spaces of the forum;
3. safeguard unauthorized access to such private spaces with actual log of admin access.

The first point is useful because the admin experience is so much different from the user experience, and admins may not be able to realize user issues (e.g., related to wrong permissions set on categories or groups, etc.)

The second point may be critical in cases where a group requires confidentiality: clicking a link might bring the admin to trespass inadvertently and break confidentiality.

The third point would enable administrators to be accountable for unauthorized access to confidential parts of the forum, while they’re currently not at all.

How could it work?

• Privilege escalation should only be available to actual admin accounts;
• “Admin” could be considered like an extra Trust Level (e.g., level 5 ^[1]);
• Returning to “normal” mode would simply switch back to previous TL;

Instead of giving a whole new “admin perspective”, Admin mode could add an extra layer of user interface:

• highlighting links that only work because you’re admin
• highlighting categories you only have access to because you’re admin
• highlighting group memberships that you can see because you’re admin (e.g., if you’re a member of the group with limited access to group membership, the highlight would not apply)
• highlighting information that only admins can see

1. A reference to Chris Marker’s film Level 5 in which a computer programmer tries to complete her deceased husband’s video game about the battle of Okinawa to overcome grief. ↩︎

I think this is similar to

I can see how it is similar, yet there are issues in the other discussion that relate to the issue here:

Except that, when you’re admin, you have no way of seeing that a link to a confidential conversation your normally would not have access to is actually off-limits. This is only one case (that occurred to us yesterday and prompted me to start this topic) where the non-separation of admin and participant can be problematic.

Moreover, I see that the Discourse team has a habit to be all admins, which makes a horizontal superpower, and does not help, as a culture, to differentiate between normal usage and privileged usage. Not all communities are horizontal, sometimes the tech people who have administrator privilege should not be trusted with everything on the forum, and that is not an edge case: it’s been built in computer systems since the beginning that root can see and do everything. Privilege certainly comes with responsibility, but sometimes benevolence is not enough especially when one cannot distinguish between okay and off-limits.

Although the “use another browser profile” solution to handle a normal and admin account, it is not very practical, especially as we all get used to have the tools at hand. Firing up a new browser each time an admin feature is needed can be very annoying (not everyone likes nor can afford to having idle resources taken on their machine). It also does not prevent the prying eyes privileged BOFH situation from happening.

Times change. Here, we have an admin who accidentally accessed confidential information that affected the life of other people, and they were not supposed to. This is privacy breach. It’s a security issue.

I understand the potential complexity, but the core issue remains and should probably be solved one way or another. IMHO, it would be useful to revisit the question now that the code base has matured, and evaluate whether the proposed approach would be doable.

Yes! Having warning and guards about this kind of (trespassing) issues would be useful.

On existing plugins:

• GitHub - discourse/discourse-anonymous-moderators might be useful, but a recent change handling email (Enabling e-mail normalization by default) may change that – relying on no default settings may prove problematic.
• GitHub - discourse/discourse-staff-alias: Allow staff users to post under an alias is only limited to posting.

I’d rather have a really clean separation between participant and admin using the classical and well-known sudo metaphor, for all the reasons stated above.

I agree that the sudo mechanism - in windows the User Account Control dialogue - is a good way for an account to have the potential to act as an admin, but without always having the ability.

On one of my forums, the approach I use is to have an admin login, but usually to use Impersonate User to login as a normal account always all the time. When I need to act as admin, I logout and login again. This does mean two accounts.

One advantage of two accounts is that when I post or comment with my normal account, I do not appear as a powerful important person. (Sometimes, commenting as an admin will be taken as a pronouncement or a police action. It depends on the culture and expectation of the reader.)

Since this feature, if it eventually comes to be implemented (do not forget to vote for it!), will take time before it happens, we are evaluating using two accounts. That means: converting existing accounts to normal accounts. Here is what it should entail (I will try to edit this post, or make it a wiki so we can keep an up-to-date documentation covering caveats)…

untested yet: this is all theoretical, from the top of my head.

Converting an existing Discourse admin account into a normal user account

Since we do not want to lose history and “forum experience” from the original account, we need to proceed with care before removing admin privilege.

Given user me with email original-me@email.example.

First case: admin account in DISCOURSE_DEVELOPER_EMAILS

If the admin account’s email is part of DISCOURSE_DEVELOPER_EMAILS, it cannot be demoted to a normal account.

1. Create a new account that will become admin, e.g., me2 with email original-me+admin@email.example.
2. From me, grant administration privilege to the new account me2.
3. Edit app.yml (or web_only.yml if you use the dual container setup) to replace original-me@email.example with original-me+admin@email.example and rebuild the container
4. From me2, demote the me original account

You now have a normal user account with all your experience (me) and a new admin-only account (me2): go to “Aftermath”.

Second case: admin account promoted from normal user

This is simpler, since you can demote this user without having to rebuild the container.

1. Create a new account that will become admin, e.g., me2 with email original-me+admin@email.example.
2. From me, grant administration privilege to the new account me2.
3. From me2, demote the me original account

You now have a normal user account with all your experience (me) and a new admin-only account (me2): go to “Aftermath”.

Aftermath

Before, you had a single user account with admin privilege: you would receive notifications for system upgrades, review flags, and could access all areas, including those you’re not supposed to see (e.g., private user messages if they are not encrypted) or categories restricted to groups you’re not a part of. All this is gone! Now you must connect regularly to your admin account to do anything you were used to do from your unique user/admin account (which is yet another reason why the proposed feature is useful). You need to build this discipline to open the two accounts at the same time if you want live admin notifications (e.g., using a private tab in Firefox, or equivalent for other web browsers).

Caveats

You should not use your admin account for anything else than administration.

Do not browse discussions while you’re admin! This time is lost to your own trust level progression, and you never know when you might click a link that is off-limits for you as a person.

If you happen to read something while in your admin account that makes you react, either switch to your normal user tab and browse to the original URL, or, if your normal user does not have access to that section: forget about it immediately (unless, of course, you should react with your admin hat on).

You should configure your admin account to look different

Change your avatar to ensure you never confuse your admin account and your normal user account. Make your profile invisible. Change your background image or theme, your name to include “ADMIN” or something like “THIS ACCOUNT DOES NOT POST”, etc. Just make sure you do not want to be tempted to post with your admin account, ever.

You should configure your admin account to filter notifications

TODO: detail this section

You should setup your admin account to mute all notifications by email (unless you want to receive such notifications, e.g., to avoid having to keep an admin tab open at all times) AND you are able to clearly distinguish which are destined for you as a person, or for your admin role.

You probably want to be notified on your desktop to catch flags and important messages.

What to do with staff category and whispers?

Yes, you hit one more complicated issue with using two separate accounts for admin and normal user participation. Sometimes you must interact on the forum as an admin. This is probably inevitable. Try not to become schizophrenic, and try to minimize your staff interventions as much as you can. Please report your tactics for dealing with this arduous problem, and motivate the all-admin Discourse team to implement this feature.

Advantages of the Two-Account solution

1. Clean separation between participation and administration (sort of)
2. You cannot make mistakes from your normal account
3. All your admin actions are properly logged
4. As a user, you experience the forum as any other user, so you can easily catch permission issues
5. If you happen to post as admin but intended to post as yourself, you can change ownership to your other account (but this kinda defeats having two accounts).

So admins will be normal users or TL4s, but can turn on ‘admin mode’ to use the special admin features?
If so, what’s stopping the admins to always leave it on?

That’s an interesting note. Any way to close the gap - allow a group to control delivery of notifications, without the content? “There are flagged posts” “There is a message waiting” “Your installation is out of date”

Here’s an idea: the admin role cannot post to a public category or thread, cannot like a post.

It also means the account could be ignored such as a normal user. Only getting necessary updates from the admin if we want to ignore them.
Great one indeed