Accidentally granting admin access

We can’t protect admins from shooting themselves in the foot. If a non-trusted user gains admin access, for any reason, all bets are off. The site should be considered compromised. The site owner should follow What to do if your Discourse is compromised.

2 notes.

  1. Granting admin access isn’t as simple as just clicking a button. After clicking the “grant admin” button, one must receive a link via email to finalize the process. It is unlikely that an admin grants admin access accidentally.
  2. Even if a malicious actor has admin access on a Discourse forum, that access doesn’t grant server access. The site owner would still be able to take action via the console on the server.

This discussion seems to have gotten off topic though. Accidental or malicious admin access doesn’t have anything to do with the moderation guide. I’m going to move this to a new topic.

10 Likes