View permissions in Member UI

[brynwhyman]

Overview

With a new component being added to the Member UI, it's being set up so that a user can only see their own details - permissions with access to other member profiles will not be able to see this component.

This issue covers how someone with escalated permissions might be able to interact with another user's session information. E.g.:

• View all saved sessions
• Able to use the 'log out' action for another user's session

Acceptance Criteria

• TBC

Notes

[brynwhyman]

This one needs a bit more thought before we proceed with grooming. See @clarkepaul's comments in https://github.com/silverstripeltd/product-issues/issues/345#issuecomment-787533096

[brynwhyman]

Copied from: https://github.com/silverstripeltd/product-issues/issues/345

From @clarkepaul :

Pt. 2 An admin can already change someone else’s password, log in as them and logout their sessions in the case of an emergency. Feels like we can assume some people might object to others seeing their sessions and others wouldn’t care, my thoughts are that it just isn’t necessary. If we were to do it then there would need to be a system config to allow individual sites to decide what approach they want to take, which feels like a whole new story and not just an add on.

Related/alternative:

bring the reset of other peoples accounts for admins into core.
automatically send notification email when a new device is used to the account owner_

[brynwhyman]

An admin can already change someone else’s password, log in as them and logout their sessions in the case of an emergency. Feels like we can assume some people might object to others seeing their sessions and others wouldn’t care, my thoughts are that it just isn’t necessary.

I agree. In an emergency situation where a user's CMS account has been compromised by a malicious person it's too late for someone else to revoke all existing sessions, as a malicious person could already have changed the password, or created a new account.

In another scenario, if a device is no longer in a user's control (i.e. lost), they still have the option of logging into another device and revoking their own session for the lost device. Giving an admin access to a simple "Log out of all sessions' for another user could be helpful here, but having the user or the admin reset their password is equally as effective.

If a CMS account has been compromised, a CMS admin also has the option of using the 'reset account' action for the compromised account. That requires a confirmation link in the compromised user's email to be clicked, but in scenarios like this, there's not a silver-bullet and you'd be better off doing something at the platform level like restricting any access to mysite.com/admin

[brynwhyman]

Hey @clarkepaul, the team has found that this functionality is actually already present. If you have access to the Security section (so can view member profiles) you have access to this.

Based on the discussion on this issue I've assumed this isn't a desired feature and raised this issue to remove the functionality: #57

We might want to have another chat about this.

[brynwhyman]

Closing, see: #57