#5079 - Add additional admin session security / confirmation for sensitive member actions
-
By PDStig
- Added
- 5 views
| Identifier | #5079 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Add additional admin session security / confirmation for sensitive member actions |
| Status | Completed |
| Tags |
Roadmap: v11 (custom) Type: Security (custom) |
| Handling member | Chris Graham |
| Addon | core |
| Description | There are a few actions for which I believe should have enhanced security (due to laws governing GDPR, privacy, and data breaches) / require a confirmed admin session regardless of the admin zone settings, namely actions that could either modify or leak potentially sensitive information about members:
* Editing a member's username, password, e-mail, phone number, or credit card information * Deleting a member * Deleting lurkers * Merging a member (which involves deleting a member) * Exporting members (especially since potentially sensitive information including hashed passwords are / can be included in the export) * Running the Purge or Download action on privacy * Any / all screens which display a member's IP address or other identifiable information |
| Steps to reproduce | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
However, through discussion with Patrick some more specific ideas came up, so I'll post these as new issues.
Problems:
1) It would be slavish to forcibly give member detail lookup more security than say, the zone editor, or anything that could cause massive havoc to totally destroy a site.
2) ... so we'd need proper configurability. But trying to implement a way of manually configuring different kind of session confirmation timeouts for different areas would be like creating an entirely new parallel privileges system, a massive effort.
3) It's a lot easier said than done forcing re-login. What if login is automatic via LDAP? What if it is through oAuth? What if login is 2FA (looking ahead here), do we force a full 2FA step to do stuff? Does that become configurable?
So instead, I think it's best to just bolster the existing system of forcing confirmed sessions and applying reasonable privileges.
I made these main changes:
1) Forced "view_any_profile_field" for member export (i.e. on top of normal Admin Zone access)
2) Forced "member_maintenance" for member import (FYI "assume_any_member" was already needed for importing usergroup changes)
3) Adjusted the Setup Wizard's high security profile to timeout sessions in 20 mins, and medium to 1 hour (which is the default pre-Setup Wizard anyway); this reduces the core issue of an admin confirming a session and then leaving their desk long enough for a sneak to mess with their machine
4) Only put password in exported spreadsheet if "assume_any_member" privilege
5) Fix session confirmation requirement for member account editing/deleting (was broken!)
6) Prevent AJAX scripts (etc) from bumping session timeout; we don't want an admin's machine to be left on and the notification poller (for example) to keep the session alive forever
7) Changed viewing member e-mail addresses to use the view_any_profile_field privilege not the member_maintenance privilege (for consistency)