Very sorry to hear. I imagine many are not aware of this so to speak loophole in the pm system.
I have used the Theme component that moves or alters that. As I think many are not aware how easy/tempting it is to use to view pm that an staff(admin only unless enabled for full mods).
Maybe an idea to simply add a site setting to turn off)hide the Messages/warning prompt/ option for admins like myself who would rather have an extra layer before proceeding with viewing pm one is not invited.
As an added touch hide the like button if viewing as it is very easy to accidently hit it without knowing as it maybe necessary to view a pm tree/conversation. When a member sees someone has liked a pm that is not part of it. This happened with myself when a user became a bit toxic towards me. As we had a bad mod gas lighting him about site policies. That I was following of the client. That mod was not happy that I would undo his over reactions using silence/suspend inappropriately. So he was gaslighting different members to get members to make demands I ban users and complain about me to his superiors.
I was fortunate the post I had accidentally liked and undid the user was understanding but was quite initially shocked that a pm was not really private as expected. Otherwise it could have exploded as a breach of trust community wide.
End-to-end encryption is a pretty complex solution for that problem, and brought with it a ton of other UX problems. So it would be much better if we can resolve that āaccidental staff accessā concern in a simpler way.
We have this site setting which weāve been developing for a while. I just went ahead and un-hid it so itāll be available in the admin UI:
This will suppress topics and PMs from the UI for admins, unless they are participants. Please note though: it is not a security feature. Admins can still access anything. Itās just a bit of extra friction to mitigate with the āaccidentalā cases you described.
At which places are PMs suppressed?
I just activated the setting and created a category which I limited to a group I am not a member of. That worked as described. I donāt see that category in the categories list.
I also noticed that clicking on a link to a PM takes me to the āthis page is privateā page. But I am still able to read parts of PMs at other places. So I guess I misunderstood the feature.
For example, I can read the beginning of the message when checking which posts a user liked or reacted to, which I often do (except when I am an admin).
This is quite positive move. However if I may if it is not setup this way. Make this setting require logging into the server and command line.
I appreciate the complexity of end2end encryption and suspect after recent issues the Telegram founder has had over it being arrested in France. That the End to End will not be as secure as it once was there
I do also understand some per case uses really need to have Direct Messages (personal messages really can be confused with private) may need to be monitored
Ie
Schools, companies using it as a platform for employees resource say for company specific. Etc .
So as a suggestion. A cmdline setting to enable Admin wide access to pm)group messages etc .
With options
Full enable perm while on
Enable for target admin. No other admins have ability. Good if some admins are there for Theme & theme component management.
Time limit option hour=x after x reverts to previous state of off.
maybe an option to target specific user or group for investigating an unreported suspected abuse or request from law enforcement with necessary court order maybe?
Yup, those are both places where this setting suppresses the content
Indeed, this site setting is just a bit of extra friction to prevent accidental access in the most common places. It does not cover all parts of the UI, and it is not considered a security feature.
Admins having full access to all content is very deeply-engrained in Discourseās source code. Changing that will not be trivial.
In its current form, it is not a security feature, so restricting it to the console wouldnāt make a difference to security either way.
I realise you are both asking for a more fully-fledged version of this feature, which is a completely valid request. It might be something we do in future, but Iām afraid we donāt have any plans to prioritise it in the near-term.
The userās activity page is a quite common place for me; I frequently use it as a user. And itās one of the places where itās very difficult to notice that you also read PMs there as an admin.
Maybe the settings description is promising too much, as it says āin the admin UIā rather than āin some common places of the admin UIā.
Suppress topics and PMs from the admin UI unless they are participants. This is not a security feature: admins can always access all content on the site if needed.
Well this is where we as site staff ourselves also need to recognize and appreciate as the adage goes āTime wasnāt built in a dayā
It requires time and resources. You sharing the teamās progressive update introducing this very positive first steps is fantastic. And while we are providing feedback/critiques. It is only to help foster the real needs to have this eventually more complete.
In @Canapin 's topic that was made long ago There was a clear example if a community discovers the use of this feature/exploit can really damage a community. In that example a member here mentioned a competitor who had used this and was discovered and exposed lost the trust of the community resulting in a fair number leaving that forum and joined theirs.
Having being involved with Discourse for over 7+ years I have observed the team rethink their position on a variety of things they were flatly opposed to implementing. Like the option for users to block others. While it is a start on that. There is still much needed parity with other platforms that have proven a more complete block)/ignore user is needed and dies not actually interfere with having good discussion in a topic where users have used the block that is mutual. The current form is more like a personal shadow ban. The blocked user can still responses to a user who has blocked them.
Thatās fair. How about this as an improvement to the description?
Suppress private topics and PMs in some parts of UI for admins. Content will still be visible in some places. This is not a security feature: admins can always access all content on the site.
to simply add a site setting to turn off)hide the Messages/warning prompt/ option for admins like myself who would rather have an extra layer before proceeding with viewing pm one is not invited.
