Admins can clearly see all private messages of all users


(Michael Downey) #1

Reproduce steps:

  1. As an admin, view a user’s profile page, e.g., Profile - downey - Discourse Meta
  2. Scroll down on the left column to the “Messages” heading and click the “All (N)” tab.

Expected results:

  • Admins can not see personal messages from users.

Actual results:

  • Admins can see all content of all private messages. Yikes!

Rationale:

In email systems, even system administrators can’t easily view the content of regular users’ email accounts without invoking some type of auditable (e.g., “Staff Actions” log) activity. This is related to the trust that users place in the system that private messages are indeed private (at least from casual/easy viewing). There should be a bona fide reason for admins to need to view private messages that they aren’t involved in. In Discourse, that would (should!) be the “impersonate user” function. In a trustworthy Discourse design, this action would be logged to prevent abuse by a sketchy admin. (Or moderator too? I didn’t check.)


Admins can still read anyone's PM's by downloading the database
(Sam Saffron) #2

This has been covered before quite a few times afaik, its by design not a bug.


(Sam Saffron) #3

Privacy plugin that makes it more difficult for admins to read PMs
(Sam Saffron) #4