Current behaviour is: When impersonating a user’s account, the last seen date is affected by this action. This behaviour is confusing for other users and our staff since they assume, that the user was actually online at this date/time.
My suggestion is to not count the impersonation towards the last seen date.
I have to disagree with this. I am aware of a few forums from my communities that my friends and I have been a part of where the admins behind those forums would maliciously use ”impersonate” to try to get people into trouble.
Staff should have access to the staff logs that show when and who impersonated an account. You should make everyone on your team aware of it.
Admins could always reset that date in the database anyway, or prevent updating the last seen date using a plugin. If you cannot trust the admins then there is nothing you can do.
One thing that I think could actually help is sending a message to the user that they were impersonated. Yea, this could be undone by plugin makers but most malicious admins are usually teens that get scared by those kinds of stuff or adults that wouldn’t be really able to afford hiring someone to do program the plugin for them.
I think we’re getting a bit distracted from the subject here. The last seen being updated when a user is being impersonated is more confusing than useful.
If we need more auditing about impersonation then that’s a different thing.
By the way, I think you’re making some dangerous assumptions here.
Due to the nature of our topic, users are very privacy concerned. So whenever a long-time core “used to be” core user suddenly reappears and has a fresh “Last seen” date due to some admin impersonation, some of our users are either concerned or somewhat confused…
If you are using the new impersonation feature (enabled by setting the hidden site setting experimental_impersonation to true), the last_seen_at timestamp will no longer be touched when impersonating a user.
We are still in the midst of planning the rollout of the new impersonation feature to Discourse hosted forums.
I gather the intent of the new impersonation feature is to lower its impact, but there are currently effects besides last_seen_at. As near as I can tell, when impersonating, you’re being that user.
Click on a pending notification? They’ve now seen it.
Open an unread post? They’ve now read it.
Knowing this, I’d only use it for troubleshooting with the knowledge of the user. I’d have no problem with users being notified and provided with a log of activity in an impersonation session.