In our forum, we have a few staff members (obviously) that can watch the forum just in case anything bad happens.
While I was messing around with the admin controls, I saw an “IP Check” feature. I used it on myself, and it gave me the exact location.
I saw that this could be abused, so I went to the Logs and Screening section to see if Discourse itself reports if a staff member has checked someone’s IP. It doesn’t.
Here’s a video:
Why does Discourse not report it to the Logs? I believe it should, since this could be abused easily.
(The user in this video was using a VPN for safety purposes.)
Die “IP-lookup”-functie zelf is niet uniek voor Discourse, je kunt het IP-adres eenvoudig kopiëren en plakken en een externe IP-locatietool gebruiken.
Dat gezegd hebbende, zou het goed zijn om een mechanisme te hebben dat vergelijkbaar is met het e-mailadres voor het IP-adres, waarbij het standaard verborgen is en een “Tonen”-knop heeft die de actie logt.
There was this one forum that was a branch to another forum (Gimkit Creative), and the owner of the other forum was secretly farming IPs to later on doxx people using alts on the Gimkit Creative forum.
The user has been long gone, anyway, and it happened last year.
Note that an admin can always bypass such a mechanism in various ways (create and download a backup, use the data explorer plugin) so it’s not 100% secure anyway.
If a staff member cannot be trusted, you have a different (and much bigger) problem.