Require mail confirmation to grant admin privileges

Currently, downloading a backup requires clicking a link in an email as a second factor of authentication. This is awesome! :100:
I’d like to also see that when granting another user admin privileges.

Without this, I don’t really see the point in confirmation before downloading a backup: Assuming an attacker hijacked an admin’s session, couldn’t he simply sign up a new account with an email address he controls, grant admin privileges to that user, and then use that user to download the backup?

11 Likes

@fefrei are you … are you … thinking outside the box again? Get back inside that box at once!

How do you envision this working, exactly?

3 Likes

Hey, I’m claustrophobic! :stuck_out_tongue_winking_eye:

The new behavior would simply be:

  1. An admin clicks on Grant Admin.
  2. He’s shown a message saying We’ve sent you an email to confirm this action. Please click the link inside this email to grant administrative privileges to @username.
  3. He gets an email, clicks the link in it, goes through a JavaScript-button to prevent accidental “clicks” (just as with the activation link), and boom, @username has admin privileges :slight_smile:
10 Likes

Great suggestion. I’ve implemented it here:

https://github.com/discourse/discourse/commit/17f2974d0a99a6c38b1aa90abe68c9f8b69dc567

I basically implemented it as you suggested, except there is no Javascript button as we do for account activation. That was meant to prevent bots from signing up and I don’t think it’s necessary in this case. It still shows you a HTML form with a button though to prevent email clients from crawling emails and activating the admin though.

8 Likes

Ok! This covers the two critical cases for admins:

  1. Download db
  2. Grant admin

Both require email verification now. Thanks for that @eviltrout.

3 Likes

I’m curious about the rationale of this change. What does adding additional steps, which require external dependencies (email) actually accomplish here?

Case in point: We have a dev server with problems getting emails out. Trying to add an admin account to do troubleshooting, but I can’t do so because adding an admin requires email be working. :exploding_head:

Pretty much what is described in the first post? I don’t know what @fefrei could add to make it more clear?

Doesn’t someone signed in as an admin user already have full access to the site’s configuration & content, and control over all user accounts?

If the above answer is yes, I guess I’m still not sure what security benefit is achieved by sticking email in the middle of the process. I may certainly be missing something though…

By the way, link in the e-mail is broken, dunno if it’s translation dependent?

Edit: Found it, translation issue indeed. Do I have to correct it via Transifex?

Brief aside, do you have SSH/console access? Create an admin account from the console

1 Like

An admin does not have the ability to get to hashed user passwords without mail confirmation now. That’s a good thing :slight_smile:

3 Likes

Speaking of getting hashed user passwords…

How about creating a second database role for the Data Explorer?

grant select on #{database} to discourse_data_explorer;
revoke select password_hash, auth_token on users from discourse_data_explorer;
# repeat for other sensitive columns

#in data explorer execute:
Begin;
Set read only blah blah;
Set local role discourse_data_explorer;

(Note that this doesn’t actually work, revokes undo grants and can’t carve out of them)

6 Likes

OK, I understand it from a security/engineering perspective as some type of hypothetical ideal, but my comments reflect an actual user telling y’all that the UX is very bad for folks trying to migrate sites between servers. :sadpanda:

We disable email when doing migrations so notifications don’t go out inadvertently. These changes that require email to be enabled (a third-party dependencies to be working!) make it difficult-to-impossible for adding users or dealing with backups during that time, not to mention make it impossible to get your site out of a “broken email” scenario.

Now pardon me while I go back to pulling my hair out… :wink:

1 Like

Security is what it is. If you don’t want security, choose something else…

Wow, how long can we keep this open, was implemented quite a few posts up. Keeping this open is super confusing.

2 Likes