Nodebb: Moderators are missing menu option to go to /info account subpage
- NodeBB version: 1.7.3
Hi, I am a moderator in our forum. I cannot ban a user. But I've found something strange:
When I go to a user profile page, I don't see Account info button. But when I type the info page manually (http://example.com/user/info) for every users even administrators, It opens and I can see the sessions, IPs etc !
Notice that I cannot ban users in account info, but I can see user's information.
mohammadhassan99
All 11 comments
forum.sanatisharif.ir/user/{user_name}/info
Also see another user information
Security issue
sohrabafard
on 16 Jan 2018
I actually think this is intentional. Moderators are privileged users and should have access to the account info page.
This is not a security issue, and moderators should have the link to the page.
julianlam
on 16 Jan 2018
@mohammadhassan99 @sohrabafard Just confirmed that as an unprivileged user, the /user/:userslug/info route is inaccessible and returns the appropriate Access Denied error.
julianlam
on 16 Jan 2018
Maybe IPs and session should have their own permissions, i never give the capability to my moderators to gets theses sensitive infos about users.
antoine-pous
on 16 Jan 2018
I have updated the issue title accordingly. The reason we allow moderators to access this page is so they can better do their moderation duties. For example, viewing user IP addresses is helpful to determine whether different users are actually the same user (sockpuppets), and seeing flag/ban history is good to learn whether a particular user account has a history of being a troublemaker, and to escalate punishments accordingly.
@antoine-pous Now that global privileges are available, perhaps you are right, it is a good time to re-evaluate and potentially place this behind a different privilege 馃槃
julianlam
on 16 Jan 2018
Currently with dynamic IPs the moderators should only check if users have the same IPs (v4) during the past 48h.
The ACP could give this information on the users management page with a small heuristic feature.
antoine-pous
on 16 Jan 2018
@julianlam So here we have a contrast. I didn't know that I have access to account info page. But accidentally I realized this fact. So If it is not a security issue, it is a bug isn't it?
mohammadhassan99
on 16 Jan 2018
@mohammadhassan99 That is correct, it is a bug that should be corrected 馃憤
julianlam
on 16 Jan 2018
Hi @julianlam , I have to say that the information for some users are not shown in info page. But you can see those information in ACP. Specifically for those users which were online long time ago.
For instance :
This user was online 12 days ago but moderators cannot see information!
mohammadhassan99
on 29 Jan 2018
Depends on #6250 before this can be resolved.
julianlam
on 29 Jan 2018
Actually profile links are already upgraded, so this is done in develop now.
julianlam
on 29 Jan 2018
Related issues
julianlam
路
4Comments
aStonedPenguin
路
4Comments
djensen47
路
4Comments
djensen47
路
5Comments
djensen47
路
5Comments
Most helpful comment
I have updated the issue title accordingly. The reason we allow moderators to access this page is so they can better do their moderation duties. For example, viewing user IP addresses is helpful to determine whether different users are actually the same user (sockpuppets), and seeing flag/ban history is good to learn whether a particular user account has a history of being a troublemaker, and to escalate punishments accordingly.
@antoine-pous Now that global privileges are available, perhaps you are right, it is a good time to re-evaluate and potentially place this behind a different privilege 馃槃