mahara-contributors team mailing list archive

[Richard Mansfield <richard.mansfield@xxxxxxxxxxxxxxx>]

We've deliberately not allowed admins completely free reign. Nigel was
totally against it, and thought admins should have to login-as
explicitly before they can do anything that's potentially privacy-
invading or even a bit sneaky.  I think I pretty much agree with him,
partly because it's useful to force admins through that bottleneck if we
ever need to introduce logging to find out who's been changing what (on
large sites like myportfolio there's a tendency for the number of people
with admin rights to grow too big).  If we wanted to reduce the big
brotherishness a bit, we might even consider notifying normal users
whenever an admin had logged-in-as them.  Also from a developer's
(selfish) point of view I quite like being able to see when access is
blocked when browsing around as admin.

-- 
Admin cannot check objectionable content notifications for views they have no access to.
https://bugs.launchpad.net/bugs/522361
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: New

Bug description:
Admins who receive an objectionable content notification might not be on the access list for the view that's reported, so they get an 'access denied' message.

They could look at the view by logging in as the view owner, but they have no way to find out who the owner is when all they have is the view id.

A quick fix might be to change the objectionable content notification so it doesn't link to the view itself, but to a page in the admin section with information about the view owner and instructions to log in as the user to see the view.

A better option might be to create a secret url token for the view (you can make these invisible to the view owner) and use the secret url in the link from the new admin screen (or directly from the notification).