Accidentally granting admin access

What if an admin accidentally makes a user admin or moderator? Could that happen?

1 Like

it’s easy to revoke the admin/mod permission.

The grant button changes to revoke.

2 Likes

But what if a malicious user is expecting that, and grants everyone on a 2000+ -user Discourse forum admin permissions and revokes permissions on all existing admins, then suspends the existing admins so they cannot do anything?

1 Like

We can’t protect admins from shooting themselves in the foot. If a non-trusted user gains admin access, for any reason, all bets are off. The site should be considered compromised. The site owner should follow What to do if your Discourse is compromised.

2 notes.

  1. Granting admin access isn’t as simple as just clicking a button. After clicking the “grant admin” button, one must receive a link via email to finalize the process. It is unlikely that an admin grants admin access accidentally.
  2. Even if a malicious actor has admin access on a Discourse forum, that access doesn’t grant server access. The site owner would still be able to take action via the console on the server.

This discussion seems to have gotten off topic though. Accidental or malicious admin access doesn’t have anything to do with the moderation guide. I’m going to move this to a new topic.

8 Likes

If you need help recovering your forum, then sent me a DM with the console details.

Note on this is, a developer access can’t be revoked.

2 Likes

That has not happened. It was hypothetical, but thank you.

2 Likes