Moderators can view emails and export user lists

This is… insane.

In any forum, moderators can see the emails of users and even less the possibility of exporting them and downloading them to a csv file.

This is a huge security hole. While promoting someone as a moderator means that you have confidence in that person, but it is crazy to think that that person can have access to a list of users with data and even that you can download them.

Viewing emails is logged and requires a click on a button to display. Similarly export is logged.

If you don’t trust your moderators, demote them to trust level 4 users.

That worked, thanks.

It is not a question of trust, it is that a moderator should not have those privileges. A moderator is a person who helps in a forum, editing, editing, moderating.

But that does not mean that you can have full access to download user listings. Even if you trust someone, they can deceive you.

Yep, turns out, nobody can be trusted. Including yourself.

Moderators need to investigate possible spammers, duplicate accounts, forgot my login/password, etc. Checking email addresses is important for many of those tasks.

There seem to be varying definitions of moderators. As far as I know:

• In Discourse, trust level 4 is what most people call moderators. They moderate the discussion in the forum.
• What Discourse calls moderators are people, who have nearly administator rights. They are staff of the forum. They have rights to flags, they can ban, they can suspend, they can almost everything, except change the basic structure of the forum (which is up to admin). In short, Discourse’s moderators are moderators of the site, not the discussion.

I can see where email inspection is logged… but for the life of me I can’t seem to find where exports are logged.

Wouldn’t it make sense to be under Logs > Staff Actions?

Admin_-_Lucee_Dev1340×548 70.8 KB

I exported the entire user base but I can’t see an entry in Staff Actions and I don’t see anything that looks like Export in the filter.

Any help much appreciated.

While I can’t find an evidence trail in logs, I have found a work around.

Profile_-_system_-_Lucee_Dev.jpg1688×846 111 KB

As System sends an export email, you can locate the user and review the Sent archive for Data export complete.

Hope that helps someone

Are you sure? If so, when is the log action supposed to occur: when the export is requested or when the file is actually downloaded?

I’m asking because we have a log of a moderator deleting a PM entitled “user-list-data-export-complete” and that PM contains a link to a .csv.gz-file for download. There is no log of any export, though.

Does this mean that the export was requested but the file never downloaded (which means that the export is only logged if the file is downloaded)?

You’re right, we don’t log user list export from Admin, Users, Export. I just tested this myself and I see nothing in Staff Action Logs. Can you add this to your high priority list @vinothkannans?

In that case, I’d like to suggest that the action is logged when the list is actually downloaded, not when the download is requested. Forensically, it makes more sense.

Not sure how it is handled with other downloads like backups etc, but I suppose the same logic should apply there.

It’s done as per below commit. Currently it’s logging when the download is requested.

https://github.com/discourse/discourse/commit/9281b72308c7844396d41d67d61305b93d148236