Lack of interest Separate Admin permissions for email communications

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
Mr Lucky

Mr Lucky

Well-known member
I have given my admins permissions for Users as it us useful for certian thinsg such as checking for duplicate registrations, deleting/merging users etc., but I'd be happier if they didn't have access to users' emails, and esecially not be able to batch email them and especially not to generate a list of all users' emails via Communication > email users.

I trust them of course, but who knows, they could suddenly get disgruntled and cause havoc with a mailout or (potentially worse) distribute the email list. In most cases I would think the ability to view and use emails is useful only to the forum owner, staff wouldn't normally need this and it adds a layer of responsibilty that could have legal implications.

Guess what prompted me to suggest this?
 
Upvote 5
This suggestion has been closed. Votes are no longer accepted.
Mr Lucky said:
I trust them of course, but who knows, they could suddenly get disgruntled and cause havoc with a mailout or (potentially worse) distribute the email list.
Click to expand...

Then you don't trust them.

If I was an admin on your site and this was shown to me, I would leave.

You have to accept an element of mutual trust.
 
Over the decades I have learned from experience that there is significant value in restricting access from sensitive and functions.
Friends go sour. Accounts get hacked. Mistakes are made. It makes a lot of sense to only give access to sensitive functions, if access is needed. IMHO its common sense and has nothing to do with trust or feelings.
 
webbouk said:
Then you don't trust them.

If I was an admin on your site and this was shown to me, I would leave.

You have to accept an element of mutual trust.
Click to expand...

Let me put this from another perspective.

I am an admin on another (very large) forum site that I don't own. I have user admin access which is useful because I can change user's usergroups etc.

There is a database of close to 100,000 users and I have access to their email addresses (which I will never need)

Now if something goes horribly wrong and those emails get leaked, in the eyes of whoever investigates this hyperthetical breach I will be one of six suspects.

I would really prefer not to have that access and not to be in that position of being a potential suspect. I don't mind betting that none of the admins on my own site want to be in that position either, nothing to do with me not trusating them right now.
 
Last edited:
You picked one personal information, but are ignoring all the others - why? Do you differentiate between email, location, any kind of custom profile field which could contain personal information?
I would support a suggestion which separates the display of personal information to admins, yet keeps the functionality they need to operate. For example, if you're checking IPs / emails / whatever, don't show those, just display "alt account found / not found because of same IP / ...".
Pretty much "moderate/administrate user" and "edit user".
 
yoloswaggerino said:
You picked one personal information, but are ignoring all the others - why? Do you differentiate between email, location, any kind of custom profile field which could contain personal information?
Click to expand...

Yes. Email identifies a specific person, up and location do not. Can a spammer be sold a list of IP addresses of locations?
 
Mr Lucky said:
Can a spammer be sold a list of IP addresses of locations?
Click to expand...
Depends on how specific the location is - if the username is the real name and the location is Demo Street 1, CA 12345 Demo City I'd say there would be a couple spammers interested in buying this dataset.
 
Not-that-savy people (you know, those users who do not know what a browser is) do that every now and then, they put a www. in front of their email address, they call you to ask questions about everything and the kitchen sink (becasue they stumbled upon your forum for a specific question using Google and don't even know they did that), ... :)
 
Mr Lucky said:
I’m not talking about street addresses, who would put that on a forum?
Click to expand...
Uhm, every customer-orientated forum without external shop?
Alfa1 said:
The issue is contact information which has a much higher risk of abuse than an IP address or a general location.
Click to expand...
Mr Lucky said:
Yes. Email identifies a specific person, up and location do not. Can a spammer be sold a list of IP addresses of locations?
Click to expand...
Associated accounts (Skype, FB, ...), real life name plus email, general and/or exact location, gender, full birthday, mobile number, ... There is plenty of personal information accessible to admins which is insanely useful to not only spammers, but also advertisers, social hackers and pretty much anyone who wants to deal damage or profit off your data.
 
yoloswaggerino said:
You picked one personal information, but are ignoring all the others - why?
Click to expand...

I think a couple of people are missing my point. Of course there can be some data other than email addresses held and viewable to admins.

My point is that emails are different because anyone can easily make a bulk list of all emails or send out a bulk email. It is the separating the Communication section from the users section that this suggestion is about.

That is not needed for many admins who merely need user access to be able to assign usergroups, merge users etc. as part of forum business.

The problem is not the ability to view some users' data on a user by user basis, but the ability to create and export a list of all email addresses. (e.g. via copy and paste)

AFAIK this cannot be done with street addresses, IP addesses, associated accounts etc.
 
There is really no difference between data compressed in a list and data freely accessible per item (user). If someone wants to hurt you or if someone is being suspected of having done something (your two scenarios), it does not matter at all at any stage in which form data is accessible. It's just the pure fact that the data is available which leads to the actions you are trying to avoid.
In fact, just by hiding one facet of the actual problem, you're willingly challenging bad behaviour because you are not fixing the actual problem ("oh look, you can't export emails anymore" - "i bet i can"). You're just slowing down the process of exporting emails, nothing more. Unless you're proactively checking every admin action, disabling email export should never ever give you any kind of relief or security.
That's pretty much why it's useless to separate only emails from User permissions. Therefore, separating User data ("edit") from User administration ("moderate") is a better approach, although I don't know what the downsides of that would be.

Btw, if you give any admin template permissions, they could extract the information with hidden template modifications on the members list - so that nobody except the admin (or whomever they choose, it doesn't even need to be an admin account) would see it. Only restriction would be items per page. Would work on profiles or anywhere where the user entity is called aswell.
 
Alfa1 said:
Over the decades I have learned from experience that there is significant value in restricting access from sensitive and functions.
Friends go sour. Accounts get hacked. Mistakes are made. It makes a lot of sense to only give access to sensitive functions, if access is needed. IMHO its common sense and has nothing to do with trust or feelings.
Click to expand...

Been on the receiving end of having an admin get her e-mail hacked.

That was an enormous headache.

More admin permissions in general would be good.
 

Similar threads

K
  • Suggestion Suggestion
Security Lock: User must contact Admin
2
Replies
23
Views
3K
Mr Lucky
Mr Lucky
kolakube
Using forums for client communications
Replies
12
Views
1K
Alternadiv
Alternadiv
K
  • Suggestion Suggestion
Separate email settings for non-transactional mails
Replies
2
Views
1K
Ludachris
Ludachris
Amin Sabet
  • Question Question
XF 1.5 Turnoff Subscribed Email by Default for Registered Users
Replies
7
Views
517
Amin Sabet
Amin Sabet
Kangy
  • Question Question
XF 2.0 Turnoff Subscribed Email by Default for Registered Users
Replies
3
Views
816
Mr Lucky
Mr Lucky
Top Bottom