In any forum, moderators can see the emails of users and even less the possibility of exporting them and downloading them to a csv file.
This is a huge security hole. While promoting someone as a moderator means that you have confidence in that person, but it is crazy to think that that person can have access to a list of users with data and even that you can download them.
It is not a question of trust, it is that a moderator should not have those privileges. A moderator is a person who helps in a forum, editing, editing, moderating.
But that does not mean that you can have full access to download user listings. Even if you trust someone, they can deceive you.
Moderators need to investigate possible spammers, duplicate accounts, forgot my login/password, etc. Checking email addresses is important for many of those tasks.
There seem to be varying definitions of moderators. As far as I know:
In Discourse, trust level 4 is what most people call moderators. They moderate the discussion in the forum.
What Discourse calls moderators are people, who have nearly administator rights. They are staff of the forum. They have rights to flags, they can ban, they can suspend, they can almost everything, except change the basic structure of the forum (which is up to admin). In short, Discourse’s moderators are moderators of the site, not the discussion.
Are you sure? If so, when is the log action supposed to occur: when the export is requested or when the file is actually downloaded?
I’m asking because we have a log of a moderator deleting a PM entitled “user-list-data-export-complete” and that PM contains a link to a .csv.gz-file for download. There is no log of any export, though.
Does this mean that the export was requested but the file never downloaded (which means that the export is only logged if the file is downloaded)?
You’re right, we don’t log user list export from Admin, Users, Export. I just tested this myself and I see nothing in Staff Action Logs. Can you add this to your high priority list @vinothkannans?
In that case, I’d like to suggest that the action is logged when the list is actually downloaded, not when the download is requested. Forensically, it makes more sense.
Not sure how it is handled with other downloads like backups etc, but I suppose the same logic should apply there.