Admins can clearly see all private messages of all users

Reproduce steps:

  1. As an admin, view a user’s profile page, e.g., Profile - downey - Discourse Meta
  2. Scroll down on the left column to the “Messages” heading and click the “All (N)” tab.

Expected results:

  • Admins can not see personal messages from users.

Actual results:

  • Admins can see all content of all private messages. Yikes!

Rationale:

In email systems, even system administrators can’t easily view the content of regular users’ email accounts without invoking some type of auditable (e.g., “Staff Actions” log) activity. This is related to the trust that users place in the system that private messages are indeed private (at least from casual/easy viewing). There should be a bona fide reason for admins to need to view private messages that they aren’t involved in. In Discourse, that would (should!) be the “impersonate user” function. In a trustworthy Discourse design, this action would be logged to prevent abuse by a sketchy admin. (Or moderator too? I didn’t check.)

3 Likes

This has been covered before quite a few times afaik, its by design not a bug.

2 Likes

https://meta.discourse.org/t/restrict-moderators-from-reading-all-pms/8618

https://meta.discourse.org/t/impersonation-and-reading-private-messages/8485

1 Like