Mostly IP addresses, but they also don’t need control of all the settings of the forum.
Agreed, would also like to see category specific moderators that have limited permissions as well.
And personally, I wouldn’t want all the moderators to have access to the following:
- All Member IP Addresses
- Server Email Settings
- Staff Action Logs (at least not of Admins)
My question is, if you don’t trust them, why are they Moderators?
It’s not as simple as that. With moderators having a lot more access if their accounts were compromised you wouldn’t want that much information exposed. That’s my main concern. Until 2FA is released I want to be a bit more weary on the access others have in case their accounts are compromised.
Also, personally I was lucky enough to have a team before starting my site as they are with me on other projects, however, many new forums are not that lucky and need to recruit teams on their site early on to help them out. This has happened with a large amount of forums, it is more likely the case than not unless the forum is built off a brand or organization.
But everything you want stripped away has existed on other forum software too. vBulletin had all of that available to moderators (well except for the email settings).
I don’t see the harm with moderators seeing IP addresses or the staff action logs (even admin entries). The admin could have changed a user’s Trust Level or Suspended them and it would be good for a Moderator to see when that happened (so they can act/alter their actions accordingly).
The thing you should be worried about is having your moderators choose secure passwords. If they are compromised the offending party can wreck a lot more havoc on your forum than simply looking up IP addresses or viewing the staff action log.
I’ve mainly made forums off of IPB and MyBB, which allowed category specific moderators and custom permission levels for staff. So if a member of the team had specific tasks their permissions could better fit the task, rather than an “all or nothing” approach that it currently has., especially when it comes to Admins.
That is not the only way to compromise an account, that isn’t even remotely on my radar as a vulnerability as the password policies we have with our team is very strict, no one is going to bruteforce / guess their passwords anytime soon. However, there are far more ways they can be compromised, most of which would be closed off with the implementation of 2FA, which the Discourse team already said they are going to add at a later date, but in the mean time, the more security the better is how I view it so I like to limit the possible information compromised or be able to have some level of customization of permissions, some staff may need more access than others, depending on the type of forum and the people involved.
So you’re thinking more along the lines of
rather than @NomNuggetNom 's suggestion to allow Mods to blindly Delete posts?
That’s one biased way to put it… Also, see his first post:
We trust them with permissions to delete, pin, etc, but they don’t need to see the back-end settings.
Moderators can NOT access Admin-only pages.
The moderation process is currently hobbled more than it should be now.
Being able to see account information often determines whether or not a post should be Deleted. That’s why I said “blindly”
I used SMF exclusively in the recent past and to my knowledge, mods only saw a separate moderator CP. Any and all admin items were never shown. The couldn’t even access the admin CP.
As for trusting moderators: I tend to have things that I would rather mods not be privy too. Their job is to help me mod the social aspects of the forum, not the technical side, and I don’t want them to see it.
IP addresses and action logs are a given; that is needed for their job.
The way I see it is if something goes wrong with security, I want it to be solely my fault and my fault alone. If someone else’s eyes can see behind the curtain, that’s a liability I can’t let go.
(If mods cannot see ACP settings, then just take my post as a voice of why it’s good that mods can’t see it.)
It’s set up in the code as a per-endpoint restriction. Some data is marked with
StaffConstraint and some is marked with
Ah, now I understand.
You could up their Trust Levels to give some added abilities, but you would like to give them a limited subset of the current Mod abilities.
Not unless they’re also Admins
Thank you for clarifying. Above, someone mentioned mods being able to see the admin panel, so I am glad that isn’t true.
They see /admin and have access to certain pages of it, but not all of it.
I suggest you create a moderator account and look around logged in as it, so you can see what they do have access to.
For example, “change site setting” in the Staff Action Logs is hidden to moderators, which is hard to notice without experimenting or checking the code.
Short of doing that, you could try “impersonating” a Mod.
For a quick but only partial idea, these screenshots may enlighten
Mod View of /Admin
Admin View of /Admin
The main issue is being able to see the properties of another user. That’s what we’d like to disable.
That is the some of the most crucially needed information a Mod needs to have to be able to make a fair decision.
IMHO you would be better off bumping members’ Trust Levels up and leaving Moderator status for those you trust. i.e. TL3 members can Flag as SPAM and make a post invisible (essentially deleting it as far as from other members perspective), and they can Retitle and Move topics.
No trust level can make a post invisible (it can unlist a topic, but that’s different), which is basically the deal breaker with using a trust level.
I think we’re both a bit wrong
Users at trust level 3 can…
recategorize and rename topics access a private "frequent flier's lounge" category only visible to users at trust level 3 and higher have all their links followed (we remove automatic nofollow) spam flags cast on TL0 user posts immediately reach the action threshold
The “action threshold” does more than unlist it, but it is only with TL0 posts