How alert if admin/mods read users PM?

Hey :wave:

Today I saw a disgusting opportunity, the administrator can read private messages of users without leaving the admin panel.

Also administrator can hide login in user account, bypassing the password and 2FA to read encrypted messages (Discourse Encrypt).

I suspect that I am not the only one in horror of the administrator’s rights and the position of Developers Discourse is unchanged - the privacy of users does not cost anything.

I want to ask, maybe someone found a solution to this problem to make the administrator’s capabilities more transparent and notify the user that an administrator authorized in his account or read it PM?

There is a setting in the backend that will log anytime an admin opens another user’s message:
image

It won’t notify the end user, but it does at least leave an entry. Is that sufficient for your purposes?

1 Like

No, this action in logs can view only admin/moderator.

I want notify users if admin/moderator sign in user accounts or if read private user messages.

Notify to PM via system bot or show this log actions in users profile, for example create menu “logs” in users account setting, where users can view this action (sign in/read PM from admin/moders).

If I recall, the PM accessibility feature is only available to admins. Mods cannot open other users’ messages. So the simple answer is you only give admin access to those who specifically service and manage the Discourse instance itself. From a technical standpoint, those managing your instance could get access to the PMs from the database itself without generating log entries. As an admin of the site and the server it’s on, the only way to ultimately prevent admins from gaining that level of access is to encrypt the contents with a key they don’t have.

For the level of security you’re looking for, you basically need this:

I haven’t used it (yet), but I believe it generates and stores the keys client-side in a way where they wouldn’t be accessible via the impersonation feature. The key is still stored locally and impersonating shouldn’t provide access to it (as far as I’m aware). This is really the only way to protect the data in the database itself.

1 Like

I’m very annoying that the Discourse “open source” strongly limits my opportunities administrator, he is very limited in the subtle settings of this forum, I can’t:

  • disable e-mail activation
  • delete default bagdes
  • change nginx CSP for secure onebox (iplogger)
  • clear all logs, statistics
  • install plugins via admin panel
  • install without docker with domain (not localhost)
  • view who online without plugin (lmao)
  • install Discourse on non-USA server locale
  • set username/password to my database when forum install

But Discourse is very good product to spying for users and logs more information about users activity.

Discourse Encrypt (for Personal Messages)

Yes, I used this plugin and can read encrypt messages via admin panel. It’s very sad.

Actually, no. You cannot read encrypted messages of other users unless you have their key to decrypt it. Encryption/decryption happens on the client side, not on the server, and encrypted messages are stored encrypted on the server.

The ability of admins to read personal messages is an oft discussed issue and won’t be changed. If you are concerned about privacy and security, then strictly limit who has admin access and only log in as admin yourself when you need to change site settings or download a backup.

You seem to be pretty uphappy with Discourse. It is open source so you are welcome to use different software.

6 Likes

Man, I’m test it today.

Yes, security and privacy are very important in any software.

Therefore, I will accept your offer and refuse to use spying Discourse.

Are you sure you were looking at encrypted messages? The user has to actually set it up and start using it to send/receive messages. Existing messages created before they do this won’t be encrypted, and they can also still choose to send unencrypted messages.

Sorry to hear it but wish you all the best, and good luck!

3 Likes

Yup.
I enabled this plugin on fresh install by default for all users.

Ciao!

I think you are looking at unencrypted messages. The admin would have to know the users password in order to decrypt the messages and password are stored hashed PBKDF2 which makes it costly and lengthy process to bruteforce the hashes. The encrypted PM plugin has an expiry function if you need extra privacy. In any case, even if the admin UI wouldn’t have the PM reading option they would still be in the database in cleartext unless using encryption plugin.

Open-source doesn’t mean privacy I guess you’re confusing terms.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.