Become admin

Problem

1. Administrators may inadvertently access confidential parts of the forum
2. Such unwanted access are not being logged
3. Administrators may miss misconfiguration because of their superpowers hiding the normal experience to them

Feature description

In the same vein as the Impersonating a user feature. a user with admin privilege should be able to become admin to perform administrative tasks only when that is necessary.

Unlike the Impersonation feature, this feature should not require logging out to recover the normal user privileges.

This feature would:

1. allow administrators to browse the site as a normal user, sharing the daily experience of other users;
2. prevent admins from inadvertently accessing private spaces of the forum;
3. safeguard unauthorized access to such private spaces with actual log of admin access.

The first point is useful because the admin experience is so much different from the user experience, and admins may not be able to realize user issues (e.g., related to wrong permissions set on categories or groups, etc.)

The second point may be critical in cases where a group requires confidentiality: clicking a link might bring the admin to trespass inadvertently and break confidentiality.

The third point would enable administrators to be accountable for unauthorized access to confidential parts of the forum, while they’re currently not at all.

How could it work?

• Privilege escalation should only be available to actual admin accounts;
• “Admin” could be considered like an extra Trust Level (e.g., level 5 ^[1]);
• Returning to “normal” mode would simply switch back to previous TL;

Instead of giving a whole new “admin perspective”, Admin mode could add an extra layer of user interface:

• highlighting links that only work because you’re admin
• highlighting categories you only have access to because you’re admin
• highlighting group memberships that you can see because you’re admin (e.g., if you’re a member of the group with limited access to group membership, the highlight would not apply)
• highlighting information that only admins can see

1. A reference to Chris Marker’s film Level 5 in which a computer programmer tries to complete her deceased husband’s video game about the battle of Okinawa to overcome grief. ↩︎

I think this is similar to

I can see how it is similar, yet there are issues in the other discussion that relate to the issue here:

Except that, when you’re admin, you have no way of seeing that a link to a confidential conversation your normally would not have access to is actually off-limits. This is only one case (that occurred to us yesterday and prompted me to start this topic) where the non-separation of admin and participant can be problematic.

Moreover, I see that the Discourse team has a habit to be all admins, which makes a horizontal superpower, and does not help, as a culture, to differentiate between normal usage and privileged usage. Not all communities are horizontal, sometimes the tech people who have administrator privilege should not be trusted with everything on the forum, and that is not an edge case: it’s been built in computer systems since the beginning that root can see and do everything. Privilege certainly comes with responsibility, but sometimes benevolence is not enough especially when one cannot distinguish between okay and off-limits.

Although the “use another browser profile” solution to handle a normal and admin account, it is not very practical, especially as we all get used to have the tools at hand. Firing up a new browser each time an admin feature is needed can be very annoying (not everyone likes nor can afford to having idle resources taken on their machine). It also does not prevent the prying eyes privileged BOFH situation from happening.

Times change. Here, we have an admin who accidentally accessed confidential information that affected the life of other people, and they were not supposed to. This is privacy breach. It’s a security issue.

I understand the potential complexity, but the core issue remains and should probably be solved one way or another. IMHO, it would be useful to revisit the question now that the code base has matured, and evaluate whether the proposed approach would be doable.

Yes! Having warning and guards about this kind of (trespassing) issues would be useful.

On existing plugins:

• GitHub - discourse/discourse-anonymous-moderators might be useful, but a recent change handling email (Enabling e-mail normalization by default) may change that – relying on no default settings may prove problematic.
• GitHub - discourse/discourse-staff-alias: Allow staff users to post under an alias is only limited to posting.

I’d rather have a really clean separation between participant and admin using the classical and well-known sudo metaphor, for all the reasons stated above.

I agree that the sudo mechanism - in windows the User Account Control dialogue - is a good way for an account to have the potential to act as an admin, but without always having the ability.

On one of my forums, the approach I use is to have an admin login, but usually to use Impersonate User to login as a normal account always all the time. When I need to act as admin, I logout and login again. This does mean two accounts.

One advantage of two accounts is that when I post or comment with my normal account, I do not appear as a powerful important person. (Sometimes, commenting as an admin will be taken as a pronouncement or a police action. It depends on the culture and expectation of the reader.)