Server: [Feature Request] Toggle admin mode (with password)

cc @karlitschek @ChristophWurst

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/3416 (admin password confirmation problem), https://github.com/nextcloud/server/issues/213 (Allow admin to define a password rules), https://github.com/nextcloud/server/issues/10706 (Add admin password time indicator), https://github.com/nextcloud/server/issues/4533 (Nextcloud keeps asking for admin password), and https://github.com/nextcloud/server/issues/9729 (WebLoginFlow: toggle password visibility).

not sure I understand? Why would you need this? If the admin is also a normal user then two seperate accounts should be used anyways

Hi,
the idea behind this is to avoid using two accounts. The downside of the two-account-solution is that especially in the set-up-phase of a new nextcloud, you have to switch between the accounts all the time.

Also, two accounts don't neccessarily add security. Most administrators will use the same password for their normal user and their admin account, so theres no significant difference between two accounts and one account with a second password-barrier.

So, it can be nailed down to two points:

• convenience (faster switching between admin and non-admin state)
• security (changing to admin state requires the password a second time and must be done intentionally)

We already try to do this: we have this little popup that asks for the password again if it wasn't entered within the last 30 minutes. You see this for example in the user management when creating a user. We should extend this to more settings and somehow also the API, but I would avoid an additional completely different concept.

This is shown when adding a new user:

cc @ChristophWurst @skjnldsv @rullzer

Morris, I see your point. Despite, I think that my feature request offers a "cleaner" way of providing this.
I didn't have a look at your code yet, however I assume that you have some sort of "isAdmin" bool variable which controls whether a user sees the admin, user and app pages or not.

So, my proposal is: Instead of putting a 30 min timer onto every single setting one can change as an administrator, you could just put this 30 min timer to a global "show me the admin stuff" switch. And also, this switch could be deactivated by default on every login, so that an administrator can work as a normal user for everyday business and only elevate to administratrive privileges if neccessary.

Morris, I see your point. Despite, I think that my feature request offers a "cleaner" way of providing this.
I didn't have a look at your code yet, however I assume that you have some sort of "isAdmin" bool variable which controls whether a user sees the admin, user and app pages or not.

So, my proposal is: Instead of putting a 30 min timer onto every single setting one can change as an administrator, you could just put this 30 min timer to a global "show me the admin stuff" switch. And also, this switch could be deactivated by default on every login, so that an administrator can work as a normal user for everyday business and only elevate to administratrive privileges if neccessary.

It's true that this would be the cleaner way, but this also means that we completely need to redo all of our APIs and how they work. Also the showed stuff is already in the code since Nextcloud 13 and will get extended within the next releases. We try to standardize them. Basically they then mean the same protection without "hiding" stuff, but "prompting" for the password (see also the sudo command on the CLI or how GitHub did it - because we modeled it after that).

Morris, I doubt its more work to do it the cleaner way. By going the way of securing every single switch theres always the chance of missing one, while the way I proposed all you need to do is to add a second variable "adminMode" (and go through the code once). Besides the fact that every administrative setting (also from external apps) can be set visible based on "adminMode", this would also - is already stated - help the administrator who is both user and administrator (my case) to seperate clearly between these two tasks. For example, why not theming the nextcloud in red when switching to admin mode? This could be done easily based on a second variable.

However, I think all arguments have been exchanged. After all, I'm not a paying customer, so I cannot do else than proposing what I see as best solution. Nevertheless, I'd be happy to see this implemented one day on a future version.

retracting the issue. I'm working with a two-account setup now.