Shocked too find out that anon users can use safe mode without any problems… thus bypassing loads of custom CSS, hidden elements and bypassing any plugin customizations…
Shouldn’t this be an admin-only feature? I see no legitimate reason why a regular user should be able to disable things the admin has set-up for his visitors.
Disabling it for all non-staff though makes it far harder to deal with an issue that crops up and prevents login. It’s great if it’s admin (or staff) only, but what happens when something goes wrong and you’re not already logged in?
This situation actually crossed my mind, then I started thinking: when did I ever need to go into safe mode without being logged in?
Usually when I need safe-mode it’s because 2 seconds ago I made edited/enabled some theme/component - I can’t remember myself ever needing safemode when I am not logged in.
And isn’t there a way to manipulate any setting in app.yml, similar to how we enable hidden settings?
When the site is broken even when you are not staff, it can be helpful to be able to use safe mode. Otherwise, you cannot visit /about to contact the admin about the issue.
I was very happy in February that there was a safe mode for users because it was the only way for me to use the site. While users with Safari had no problems at all. So maybe admins wouldn’t have noticed the problem.
not sure, I would say that safe mode is definitely giving an more easier option to bypass certain things;
e.g. bypassing Gated Topics is a lot easier with safe mode then editing the CSS in devtools - for this specific component it actually requires quite some edits to get the “normal” experience.
certain hidden elements could be revealed, that otherwise would never get reverse-engineered?
Obviously this is not something that I would be aware of, since I don’t expect an abuser to actually report his “bypass” method.
What about adding a setting that only Staff can login when site is in safe mode? Users should still be able to access viewing About pages and public areas.