Option to hide IP addresses from moderators

And by that you mean that you would have it… because I can use it for almost everything already, banking, taxes, even here

Im working on this feature! (or at least giving it my best shot)

My thoughts are to add an option in Admin>Site Settings>Security under the Moderators view emails radio selection. In accordance with the original feature request, instead of using this selector as a flag to turn the CSS for IP addresses on/off from Moderator’s view, we can check if the current user’s role is moderator on the backend and prevent rails from querying the database for IP fields on the User model. Also, lastly, hiding the IP selections in the UI on the user profiles/logs

Super high level overview but that’s how Im thinking of the solution. Should have a PR up this week for people to comment on if interested!

PR is up here for review! FEATURE: add option to hide IP addresses from moderators by Beznet · Pull Request #31456 · discourse/discourse · GitHub

I saw that this was approved at the beginning of March. But then it wasn’t merged, and now there are conflicts. What was missing in March to get it merged? What is the status of things?

Maybe consider using a VPN or proxy server. The Op even presented the simple hacky solution using CSS to which you can put code in do it only applies to non admins.

If you’re self hosted you could even make a minor plugin to make the mod server side vs client side. However a Full Moderator should be trusted enough to not be a concern. And if it is a concern there is Category Moderators that can manage flags they just can’t silence or suspend.

@RGJ has a plugin that can extend a partial Silence/ban from a specific category. There was also a plugin to extend Category zmod abilities but the Plugin is no longer maintained. So if Self hosted and have a budget either reviving the plugin or making the hide IP address from mods can be sponsored in Marketplace

This is why Discourse Meta supports custom Plugin & Theme & Theme component.

This request if made as plugin will change server side for best security. However a TC in theory should be fine as your full moderators should be chosen with much greater care than a Reddit Mod.

I disagree. If someone wants to misuse an IP address then they are prepared to make an effort, and they will not be stopped by a TC that only hides things cosmetically.

From a technical / legal point of view, the IP address is even sent to their device.

Which goes back to A full moderator is main site staff. If you don’t think you can trust them. Make them Category Mods as they like a Reddit Mod do not have access to any sensitive information.

If your full mods are ones that are the type to circumvent site controls. Should you be trusting them?

With Safe Mode can you make it so only Admins can use it or is the restriction capability only destructible to staff?

A truly trusted Staff member should be able to be trusted not to compromise site features/securities.

Now with the Category Mod extension plugin. I recall Sam saying he was not opposed to adding more optionals to the category Mod.

Imho your category plugin that adds option to silence and ban users from posting should be added to core. It would also compliment the Reddish theme parity with more Reddit like features.

Eve. Imho the full moderator should have more granular controls. But if the category Mod gets more options might be more than sufficient.

Even Admin could use some granular control options for admins that need access to certain admin features but the site owner would like to keep somethings restricted to higher level employees

Of course, you’re right. But this is not just about trust. GDPR and other privacy laws also require that you minimize the surface which exposes PII, i.e. if someone doesn’t need to see that data, they shouldn’t be able to have it.

You’re complicating things:

• If this is implemented as a TC, the IP address can always be seen by a moderator, safe mode or no safe mode.
• If this is correctly implemented as a plugin, the IP address can never be seen by a moderator, safe mode or no safe mode.

So you can have a plugin that is not disabled in safe mode? Doesn’t one of the options disable all plugins & Themes/TC?

If so then best security the PR as indicated in this topic is best?

image1168×355 28 KB

i.e. server-side modifications are unaffected by safe mode (if not explicitly handled by the plugin)

A PR to core would always be better than a plugin! But security-wise, it wouldn’t matter much.

I looked at the PR and don’t understand why it wasn’t merged either…? @featheredtoast ?

Thanks for the clarification.