Discourse having trouble with topic ids again
-
Continuing the discussion from Interview with an Ex-Microsoftie (Topic #2006):
I can't open the topic anymore, either.
Maybe @PJH can bring some light into this matter.
Filed Under: Discourse is the best at what it's doing. It's just that nobody knows what the hell that is
Let's make this a real bug by posting it into the appropriate category and still mention @PJH
Discourse seems to be giving out topic numbers twice
2000 was a PM from me to @boomzilla about how the Dodgers suck
I sniped the number 2000
and then forgetting at least one:
Unless some admin had some fun with the numbers? But even if that was the case: The PM showing up under "Messages" and then not being accessible seems pretty stupid!
Filed Under: Took out the first 4 tabs because secret stuff | I don't even know why I used Opera for these Screenshots but who cares (INB4 people raging about opera in this topic) | I left in all the Dilberts for you guys
-
@. said:
2000 was a PM from me to @boomzilla about how the Dodgers suck
I cant (on mobile anyway) find any evidence of this one, or any like it near 2000.
-
What, somebody in the forum was lying? Inconcievable!
That just makes the disappearance of the PM even more suspicious!
Filed Under: two topics with the same id would have at least made sense as a problem
-
You keep using that word. I do no think it means wha you think it means.
-
You could at least pick a word I keep using. What is this? I don't even...
-
whoosh.
I have PMs in the early 2000s, these are still visible. But we've had two sets of people talk about topic 2000 and I don't see any reason for either to lie about Discourse so I'm willing to chalk it up to race condition gone bad and another thing DC is shitty about.
-
I don't believe Discourse but @PJH seems to be a mostly trustworthy source of information.
Also did you just try to take my attention away from this thread?
Filed Under: inside jokes are always great, right?
-
-
I don't believe Discourse but @PJH seems to be a mostly trustworthy source of information.
Oh dear...I will be prodding more thoroughly about this tomorrow when I'm sat at PC.
-
I cant (on mobile anyway) find any evidence of this one, or any like it near 2000.
Yeah, that was @chubertdev's baseball insecurities showing through again. He doesn't have the guts to actually say that in private.
-
Meah. The Dodgers are the San Jose Sharks of the MLB.
-
Let's make this a real bug by posting it into the appropriate category and still mention @PJH
The error is that neither @Kuro, initiator the the private message, nor @faoileag, the recipient of said private message, are able to view said private message any more.
Bug filed.
https://meta.discourse.org/t/users-unable-to-view-a-private-message/18446
-
Wait a second... did you...You did...
According to your screenshot you made it look like you logged in as me and @faoileag.Are admins actually able to impersonate users? Or are you just honing your mad photoshop skills?
And by impersonate I mean log in and do everything the user can do (without even going into the database, I guess)...I mean, I am not even mad about you doing that since the cause was justified.... but if Discourse really allows you to log in as every average user this seems pretty bad design.
I also hope that Sam wants a link to see the pm because he is an Admin on this board, not just because he can view every message on every Discourse-forum ever....
Filed Under:I am at a loss for words here | Thank you for raising that bugticket, though
-
Are admins actually able to impersonate users?
[...]
And by impersonate I mean log in and do everything the user can do (without even going into the database, I guess)...Yes.
I also hope that Sam wants a link to see the pm because he is an Admin on this board,
He is. As is Jeff.
He won't be looking at it until tomorrow, it appears, though.
-
That's... mildly disturbing.
I've seen 'switch permissions' before which allows for checking permissions without changing user id, but this seems very unpleasant.
It makes me think I could never trust using PMs (it's bad enough trusting PMs on other platforms, but this... ugh)
-
When I send my Privates in a message, I make it as publicly accessible as possible, the more eggs that see my bacon, the better chance I have of a fried breakfast by breakfast time.
-
I am curious now... how far does "Impersonate" actually go? Can you post replies as me? Can you send private messages? If so, do I ever see them? Also can you send a message as me to me?
Actually, this is a question to everybody: How does this feature help anybody ever? Except sending bugs to meta?
Filed Under: DISTURBING!
-
AIUI, it's exactly the same as logging in with the account's password, but without needing to know it.
It's an admin only thing - mods and level 4's don't have access to it, and I presume it's to view the account as the user for when problems, such as this, occur.
https://meta.discourse.org/t/why-is-there-an-impersonate-button/2699
-
The commentary about PMs is worrying. Normal forums do this by way of offering report functions.
The fact they think that making PM access easy is worrying in itself. Yes, it's in the database but most admins are not actually generally astute enough to trog through the database.
-
Normal forums do this by way of offering report functions.
Which are also available here in Discourse.
-
As pointed out there, access is required to deal with abuse - and some quick experimentation suggests that, despite what was said in that thread, only admins can view PMs - mods can't (I can't view my PM's on this account with my mod-only account, for example.)
-
They also allow mods access on default (as I understand it) because reasons...
I can kind of understand the reason for "making the messages of Users viewable" as this might be a simple way to solve problematic PM abuse to harass people. (The "report it"-way seems more reasonable, though).The whole "Oh boy, I can send messages as you"-feature just baffles me.
Especially if Mods can do it, too. This is not a "dont post if you dont trust the admin"-issue anymore.
As I understand it, @PJH could log in as me now, start sending porn to people over PMs and there would be no way for me to verify it wasnt me. And apparently in Discourse-wonderland Mods can do that, too. My IP is behind this accout, I think. How is this even.... I dont know anymore.Am I wrong that this bothers me to such an extend? Maybe... I leave it up for other people to decide.
Filed under: @Arantor is that you? Maybe Sam posted from your account?!
-
Especially if Mods can do it, too
I'm fairly certain they can't - impersonation (and apparently viewing PMs) is admin only - at least from my experimentation.
-
Am I wrong that this bothers me to such an extend? Maybe... I leave it up for other people to decide.
Admin can technically go to the database to read the MPs themselves. I'm guessing the fact they have to go on another profile and click the "impersonate" button was enough of a barrier for them to think twice about what they were going to do.
If they are crazy-stalkers they would be able to do it anyway.
The "report" feature is already available with flagging, as said in meta.
-
@Arantor is that you? Maybe Sam posted from your account?!
The next time anyone agrees with @ , I can only assume that they've been impersonated.
-
And what's the the underlining on @mentions. background highlighting isn't enough?
@aser slfkja klsafj dfoh hey, their new method of creating the @mention links on click-time if you fake it with the class=mention should mean that you can register accounts for the faked @mentions after they happen
also, i should be able to mention myself like this @dark matter. wonder if that sends notifications. notify @tuf :suspect: ty (sucks that only the 2nd half of the mention like works right :( click matter or ty and is good, first half is bad. )
-
@pjhh
goes the dynamite. or not... that's interesting... it eats it?
Not how it looks in the preview. Useless.why's no match!
-
As pointed out there, access is required to deal with abuse - and some quick experimentation suggests that, despite what was said in that thread, only admins can view PMs - mods can't (I can't view my PM's on this account with my mod-only account, for example.)
Sorry, but I call BS. Other forums do not give random access to PMs for just that reason. They have reporting functions for abuse, the need to randomly access other accounts should be extremely limited.
I am not agreeing with the choice Discourse has made here, because it feels so wrong.
-
And what's the the underlining on @mentions. background highlighting isn't enough?
It was from when @dhromed put underlines back on
a hrefs
- I'll see if I can remove it from mentions....
-
aargh, too many underlines! I feel like I'm writing on lined paper or something.
Mentions are meh either way, but can we not have every single UI element underlined?
-
(For those fortunate to have missed this)
Underlines! Underlines (mostly) everywhere!
-
Sorry, but I call BS. Other forums do not give random access to PMs for just that reason. They have reporting functions for abuse, the need to randomly access other accounts should be extremely limited.
I call BS on your BS call. Giving "Admins" access is anything but random. It is, in fact, extremely limited. I think maybe the number of admins on this forum is maybe a bit high.
-
For those fortunate to have missed this
Ok - sanity restored:
/* Underline links in posts - only. (but not @mentions) */ .cooked a { text-decoration: underline; } .cooked a.mention { text-decoration: none; }
-
I call BS on your BS call. Giving "Admins" access is anything but random. It is, in fact, extremely limited. I think maybe the number of admins on this forum is maybe a bit high.
Remember: I've been developer on a forum software, I've also been around that community for years. Most of the admins could not successfully find shit in the database even when given step by step instructions. Without the reporting-to-admin they'd be screwed.
-
Remember: I've been developer on a forum software, I've also been around that community for years. Most of the admins could not successfully find shit in the database even when given step by step instructions. Without the reporting-to-admin they'd be screwed.
So what? Your appeal to your own authority stinks as much as Jeff's. And your BS is still BS.
If you require admins to have to fuck around in the DB, you're doing it wrong (no matter what sort of software we're talking about), and that's not what Discourse is doing here. I don't have a problem with reporting something to an admin, but I also don't think that's sufficient. An admin should be able to inspect everything.
-
Discourse seems to be giving out topic numbers twice
Wait, so discourse doesn't just use an autoincrement in mysql or a sequence in postgre, oracle or identity in mssql?
-
Wait, so discourse doesn't just use an autoincrement in mysql or a sequence in postgre, oracle or identity in mssql?
What, like those *spit* PHP forums?
-
The basic premise of the bug-report was the fact that two people claimed to both have a private topic with the same topicID. PJH stated that one of them was a fake though so that part of the bug-report was done. There has been a bug about some internal ids being given out before. I can't be bothered to find it now, though. It was fixed over at meta.
Currently this topic is about the fact that the private topic in question can not be opened by the participants of it anymore and only by admins impersonating them. It's also about admins being able to impersonate users.
Filed Under: If this topic becomes a bit longer we can have the "compressed" version of it!
-
See, it might sound crazy, but if an Admin took the time to actually go into the database (and most databases I have seen are a mess) and were able to filter out how to post messages in my name ... they probably have a good reason for that.
If all they have to do is click on a button on the admin panel the barrier for doing it is much lower.
And while I don't know PJH and the other admins here well enough, I do trust them kind of to not do that kind of thing. But Discourse is not a software written just for TDWTF and this seems like a thing to invite admin-trolling and other stupid stuff without any valid justification (besides: you can find bugs easier... something this forum should try to not have).
As I said the fact they can just impersonate me on this forum is my problem...
Filed Under: PJH IS THE BEST PERSON TO EVER LIVE! | This post was not written by PJH. Not at all. Why would you even think that
-
This post was not written by PJH. Not at all. Why would you even think that
Because PJH wouldn't use the "FIled under" meme, especially with (#tag) styiling.
... OR WOULD HE?
Filed under: DUN DUN DUNNNN!, I AM NOT DKF
-
But Discourse is not a software written just for TDWTF and this seems like a thing to invite admin-trolling and other stupid stuff without any valid justification (besides: you can find bugs easier... something this forum should try to not have).
But no doubt they would still have the power to update email addresses and so forth, so they could always simply take over your account if they really wanted to. I think this is pretty much a case of already being on the wrong side of the hatch.
You've already entrusted the site owner with a certain amount of control and information. You have to decide if you trust him enough to delegate that trust or not.
-
He just means that without this feature, it wouldn't be as simple as the click of a button (while in the reality, it's not that far…)
-
I would like to argue that but I can't, really.
The thing is: I can understand the reason for an admin being able to "easily" change the e-mail-adress. You lose your password but when you first logged in you used an old adress that is not valid anymore. You can convince the admin that you are the person who maintained that account and he can change your adress to something valid so you can continue your conversations.
It's something that might happen "pretty often". I don't know... it just sounds like something forum-admins actually have to deal with.I can't see any reason for a user to ask an admin to take control over their account.
"Please, Discourse is too complicated, I need help. Please log in as me and set all the settings in my preferences-page to the correct value" just doesn't sound like anything anybody would ever say in a serious manner!
-
I can't see any reason for a user to ask an admin to take control over their account.
You mean other than the one literally referenced in this thread?
-
you mean where I supplied a screenshot? Yeah, I kinda left this one out. Gotta say, though, that I never imagined PJH impersonating me to take that same screenshot from his own browser
Filed Under: I guess I'll stop bitching about this now. I will accept it as something that is a thing and deal with it. I don't think it to be right, though. | I am also interested in why the PM-thing actually went bad.... so I am hoping for news from Sam
-
You keep using that word. I do no think it means wha you think it means.
You stay here. If he falls, fine. If he makes it to the top, kill him!
-
There has been a bug about some internal ids being given out before. I can't be bothered to find it now, though. It was fixed over at meta.
That was to do with duplicate post_id's ids in http://what.thedailywtf.com/t/topic_name/topic_id/post_id URL's
and only by admins impersonating them.
Actually, this is incorrect - as the screenshots over at meta.d show - they appear to be only visible from admin accounts. Upon impersonation, the login ceases to be admin (unless the account being impersonated happens to be another admin account.)But no doubt they would still have the power to update email addresses and so forth, so they could always simply take over your account if they really wanted to. I think this is pretty much a case of already being on the wrong side of the hatch.
The points raised a few times over at meta.d on a couple of threads by those concerned about impersonation/view PM's is that it's too easy to do (to the point where some have done the latter by mistake,) and there are no audit trails in place yet.
-
So what? Your appeal to your own authority stinks as much as Jeff's. And your BS is still BS.
If you require admins to have to fuck around in the DB, you're doing it wrong (no matter what sort of software we're talking about), and that's not what Discourse is doing here. I don't have a problem with reporting something to an admin, but I also don't think that's sufficient. An admin should be able to inspect everything.
I wasn't really appealing to my own authority. I was simply pointing out that in my experience, admins neither have the know-how nor the desire, nor even the reason, to go trawling through the database.
If content isn't being reported, that's not necessarily your cue to go looking for problems.
The problem is this is a dangerous enabler. Have seen this before with immature admins going through and reading everyone else's PMs, including material that was understood to be private, even if it's not actually private.
-
You mean other than the one literally referenced in this thread?
I'd be tempted to argue the problem in this thread should be one that is no longer relevant post-release, and I don't think there is any such limit in the software.
I'd be tempted to suggest that a slightly more restrictive implementation of "requesting permission" from the user to be impersonated might make people feel more comfortable about a feature like this. I can certainly agree it is a useful feature from an administrator's perspective though.
I guess I am looking at this from a surveilance perspective. Of course I know my phone company has a storage of all of my text messages, but I don't expect them (or even a tiny subset of them) to be able to go in and view them whenever they like without my permission. The same with email providers, cloud storage etc etc. There was a pretty big shit storm about stuff like this recently I believe...
I guess I would rather @PJH's life is a little bit harder every now and then (and it really should be a rarely used function), than any admin being able to view my PMs at the click of a button. I mean, what if me and @Arantor move our bromance (I know you've felt it too) to the next level and start sending each other dicsource pics in PMs? what if @PJH doesn't like that and me and @Arantor's hot anal loving ends up as revenge porn for millions of sweaty teens (and with bodies like ours, who could blame them?) I don't want to be the next meatspin, and I really don't want discourse to make it easy for @PJH to make me the next meatspin.
-
^^ This. Just because they can do it does not mean they should be able to do it easily or relatively indiscriminately.