In the version 6.5.5, admin CAN read Private Messages of any member, correct?

The member wouldn't know, right?

They could also make changes to a member's profile, right?

Thanks.. good info to know before I buy.

Only by becoming that user and yes they would know, as it would show up as read.

As a rule, I never read members PM's - I have no need to.

Well you could read it directly from the database tables to, but I agree. Why? If you're that bored you need to get a life.

I've been Admin of e-mail for years and not once read other peoples mail even though you "could". Need to have some internal ethics if you're going to be in a position of power.

.

Thanks guys. I TOTALLY agree with having ethics as an admin and one must really consider if they are up to it before taking it on. There was this stepmother support board I used to be on where the admins were doing that(becoming the user and reading PMs and changing profile info) and well, I have strong feelings about that and thought it was awfully wrong of them to do, but it's their board, their rules. Oh well.

Thanks for the info.

Even if the forum didn't have the ability to "become this user" and read messages/change data, they could always update information and read it through the database.

I think a great security measure would be to encrypt pm's usng one of the several available php methods, but you must keep in mind that sometimes validating info in pm's is a nessessity (immagine if you will someone harassing another user, if things where encrypted you'd be sol).

I think encryption of PM's though would be a first in bulletin board standards, i think it could be kinda cool lol

ecryption would be bad IMHO

Why? Think of it, passwords are md5ed for security, PM's would be the same; SHA is a two way algoritm, unlike MD5 which is one way. You could decode the pm's as an admin or user viewing the pm, however some random guy who rooted your machine can't just view pm's or passwords in plain text... just a thought in any reguards though

Couldn't you create sub administrators using permissions found in the moderator section.

In the future Rick it might be a good idea to have a master admin capability that can create sub admins that can only create forums, normal maintenance routines but do NOT have access to user data other then being able to ban and or resend password etc.

This type of model would also create separation of duty on the forums making them Sarbanes Oxley compliant. You would get more corporate sales then.

Not sure just thinking out loud here. Security is something that could be a super strong selling point with the above described parameters being completely configurable.

Seems someone else had an idea about more security


http://www.ubbcentral.com/forums/ubbthreads.php?ubb=showflat&Board=2&Number=171444

.

Oh god, don't get NT going