Requiring password before admin actions can be taken

(Valentin Churavy) #1

I was thinking that it might be beneficial to have an option to require re-entering the password, before switching into admin mode or taking admin actions.

Github as an example requires this and I think the main reason is to prevent/slow down destructive action by an adversary who gained access to a device with an admin login.

The second feature I would like to see is 2FA, but that is already discussed elsewhere Two-factor local login option

If 2FA is implemented requiring 2FA, before admin actions would be great to have.

Any way for admin users to not be in admin mode etc?
(Wolftune) #2

In addition, buttons and actions that require admin permissions should look different from those that do not. Ideally a similar distinction for moderator actions.

This isn’t just about security from malicious actors, it’s also about security from admin carelessness…


(Jeff Atwood) #4

Can you be much more specific? Give me real world examples of actual mistakes and problems?

(Wolftune) #5

The first issue we’ve had just in exploring things: We have a top-level category but want everyone to post in sub-categories. There’s still a “new topic” button for moderators that looks totally normal, so they could (and did) inadvertently post a topic that normal users see but can’t respond to.

But the broader thing is the issue of wanting to give someone we trust higher level access (even full admin) but there are actions we want them to be really hesitant to do and avoid doing unilaterally unless necessary. It would just be nice to have some visual indication that something was a special admin action so they are extra careful with it.

The different views between two users are significant enough that logging in as two different users doesn’t strictly clarify what the non-admin experience is compared to admin. If a single-user could log-in and out of “admin” status, that would be cleanest way to understand the experience of non-admins.

I do think more experience will get us used to the status quo, but having this harder divide between admin and non-admin (and also mod and non-mod) tools / actions would make everything clearest to everyone.