I can see how it is similar, yet there are issues in the other discussion that relate to the issue here:
Except that, when you’re admin, you have no way of seeing that a link to a confidential conversation your normally would not have access to is actually off-limits. This is only one case (that occurred to us yesterday and prompted me to start this topic) where the non-separation of admin and participant can be problematic.
Moreover, I see that the Discourse team has a habit to be all admins, which makes a horizontal superpower, and does not help, as a culture, to differentiate between normal usage and privileged usage. Not all communities are horizontal, sometimes the tech people who have administrator privilege should not be trusted with everything on the forum, and that is not an edge case: it’s been built in computer systems since the beginning that root can see and do everything. Privilege certainly comes with responsibility, but sometimes benevolence is not enough especially when one cannot distinguish between okay and off-limits.
Although the “use another browser profile” solution to handle a normal and admin account, it is not very practical, especially as we all get used to have the tools at hand. Firing up a new browser each time an admin feature is needed can be very annoying (not everyone likes nor can afford to having idle resources taken on their machine). It also does not prevent the prying eyes privileged BOFH situation from happening.
Times change. Here, we have an admin who accidentally accessed confidential information that affected the life of other people, and they were not supposed to. This is privacy breach. It’s a security issue.
I understand the potential complexity, but the core issue remains and should probably be solved one way or another. IMHO, it would be useful to revisit the question now that the code base has matured, and evaluate whether the proposed approach would be doable.
Yes! Having warning and guards about this kind of (trespassing) issues would be useful.
On existing plugins:
- GitHub - discourse/discourse-anonymous-moderators might be useful, but a recent change handling email (Enabling e-mail normalization by default) may change that – relying on no default settings may prove problematic.
- GitHub - discourse/discourse-staff-alias: Allow staff users to post under an alias is only limited to posting.
I’d rather have a really clean separation between participant and admin using the classical and well-known sudo metaphor, for all the reasons stated above.