The Impersonated user should be notified that they are being Impersonated

Privacy is a very important part of a person’s life and the moment it gets compromised could ruin their whole life. I recently told my friend (who’s on another forum running Discourse) about the impersonate feature and she got very concerned with her privacy because there was no way she would know if an administrator is Impersonating her account. Users should be notified that their account is being Impersonated and should have a log containing all the recent impersonation sessions accompanied with the changes and information viewed. Impersonating without consent is very impolite and disrespectful, large companies are using Discourse and not all of them will admit to impersonating without consent, so please consider my proposal.

It should be a site setting to enable/disable if this feature gets activated. For most cases, impersonation is just for testing and you shouldn’t have to worry too much…unless the admins are rogue and want to compromise someone’s account.

There is a log in the admin section here: https://forum.example.com/admin/logs/staff_action_logs. Most changes to a user by an admin should be logged, so you can see whether they’ve done something crazy. I won’t be too concerned with this “impersonation feature,” but I think it’s nice if we can enable/disable notifications of impersonation.

I meant the user being Impersonated would have their own log, since that user supposedly wouldn’t have access to the admin panel logs.

This would provide a false sense of security. Admins are assumed to have full DB access. They can download the DB, fiddle with the DB and upload it.

The assumption is that Admins are trusted, if they want to notify an end user that they impersonated an account they can do so.

One example is that only team members are allowed to have access to admin in our forum.

Like @sam said, if there’s some admin you can’t fully trust, make them a moderator, they won’t have impersonation powers or all of those “super-powers”(examples are view email, generate API, etc. )

It however would still be appropriate to automatically inform the user that they are being Impersonated. Sure, I trust the admins, but the lack of transparency? No, if this feature pushes through, at least other forums would know that this is a feature and even if the admins modify their DB to not notify their users, it would still be there as proof that the forum can notify their users

The information I provide in my account should only be accessed when needed or when I seek assistance. It would also be proof that in the event an unauthorised action was done under my account, I would have proof that it was caused by impersonation.

The whole idea here is not entirely security, it’s more of being transparent and on point with a forum’s users. I simply don’t want admins to randomly use my account while I’m sleeping for debugging or doing actions without my consent, it’s impolite as I’ve mentioned.

Note:
I’m speaking as a basic user, not an administrator.

We have been down this rabbit hole before in another context, messages for example are called “personal messages” not “private messages”.

I am kind of open to adding some sort of global setting for “impersonate is not allowed even for admins” but this would only be a hurdle, a determined admin can always impersonate without you knowing. False sense of security is worse imo than pretending something is the way it is not.

Like I said before, if you trust the admins, you wouldn’t worry about them doing something wrong with your account, meaning that a notification won’t be necessary.

Why would an admin impersonate you(for debugging) without you telling them that your account is broken?

Even if we remove impersonation, admins can potentially expose information such as email and IP. We still won’t have “full-security” even if we remove impersonation. Then this gets to something like:

• Admins can’t impersonate
• Staff can’t view IP
• Admins can’t view email
• etc…

And technically it means…
Staff members can’t do anything!

Staff should be trusted, and the owner believes he/she can entrust them to use the staff permissions reasonably, making him/her grant permissions to those users. The owner knows they can handle it. Anyways, I’m half/half towards adding this feature.

Yeah the more I think about this the more I think… if you don’t want admins then simply don’t have admins.

But then @sam, @Mikitos is a basic user at that board, meaning he can’t choose to have admins or not.

Ok, outside this situation…
The owner trusts the admins sooo much, he knows they will not compromise his account or others. That’s a lot of trust. Admins can revoke admin on other accounts, and the owner knows the risks of it and grant the user admin. Otherwise, if the owner’s not some dude who gives every member admin, it should work without a problem.

It is just a rats nest that I do not want to get into:

• We implement “notify user that admin impersonated”
• We implement “notify user that admin restored the database”
• We implement “notify user that admin looked up IP”
• We implement “notify user that admin looked at email”

I simply do not see us doing any of this.

This makes it one feature…Notify the user, everything that a staff did to the user… That’s annoying and unreasonable.

Remember, discourse is a “self-trust” forum, meaning users will automatically earn that trust over time. TL4, admin, and moderators are for those who exceed the expectations, and the owner/staff thinks the user is ready for promotion. This is why I discourse.

I actually like the idea of transparency overall. Discourse is tracking nearly everything.

It would be great in user perspective, that all logged activities about my profile and admin actions will be available for download & view.

Let’s call it „balance of interests“
Trust isn’t a one way street.

Why I think so: I‘ve had a bad personal experience with my former employer. After I‘ve had some trouble about safety and legal issues; (because he screwed everything up); he revoked my admin privileges and one specific badge, that should proof inside our workplace (lab), I’ve had my cnc machine introduction. We documented everything digitally inside Discourse.

He and his father (CEO) where fired (replaced) some time later. Only with support by a good friend (also admin), I was able to proof, he screwed everything up with bad intend and criminal energy.

What information?

Admins can see your PMs, your profile, your email address, your ip number, and everything else without impersonation. Admins have access to all of your information on every site that you ever visit on the internet ever.

Basically what you’ve mentioned is the information I was referring to, which is why I proposed a notification system to inform users that their account or information is being viewed or changed or used. Unfortunately technology can be reverse engineered which renders my proposal as useless, however it would still be useful for communities that do not maintain their Discourse software and cannot make changes so easily in the backend.

If admins can download a backup then they can have access to everything. If you don’t trust the admins on any computer system then no feature can solve that.

To be clear, when you use any online service you truly have zero privacy. There is always another way to access your data, bad actors will always find other ways to access your stuff.

Worse still, if they own the system every safeguard or audit control is trivial to bypass.

As @sam has already pointed out the idea of transparency here would be completely false, administrators can use data explorer to inspect any aspect of your profile. Postgres can be inspected directly too, bypassing Discourse entirely. For the truly determined they could also look directly at backups.

It doesn’t stop there either, because you’re using their software, so even on a site using encrpyted personal messages an administrator can theoretically read everything you type by inserting additional JavaScript within the page.

This boils down to one thing really - trust. If you aren’t willing to trust the site owner and the administrators they have selected, then you probably shouldn’t register on the community. Transparency only works if the staff are willing to behave ethically and in such situations they already have the option to let you know directly.

I would also add that the illusion of protection is quite dangerous. It is better that people are up front about the trust necessary and the reality of who has access to what.

With a risk that this may be slightly off-topic: perhaps this (who has access to what) could be made more transparent on discourse forums?

For most folks here, it may be obvious that admins have access to everything, but then again, judging by how often this fact has been mentioned here on meta, that may not even be true. In any case, the average user om most forums are not aware of this…

But it’s true on every. Single. Site. In. The. Whole. World. Discourse is the one that should teach everybody?

I think it comes up here so often because discourse is often someone’s first time administering software.