News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Security within reporting a PM

Started by William Wolfe, February 15, 2013, 06:11:32 PM

Previous topic - Next topic

William Wolfe

When someone reports a PM, I've noticed all it does is send a PM to the admins containing the reported pm. I've also noticed that there's no special "tick" that tells you it's a real report with a real quoted message rather than a hand typed PM. It simply just gives you a PM with the info:

<reporter> has reported the below personal message, sent by <sender>, for the following reason:
<reason>

Below are the original contents of the personal message which was reported:
Quote from: <user> on <date> at <time>

Quote<original message>


Given that any user may send an admin a PM, it'd be easy to impersonate a reported message. It'd be more secure if the forum automatically added some type of mark indicating it's a real report instead of a PM that a user made that looked like a report.

My suggestion: Make it so that when a user reports a pm, it uses the same system as reporting a post does. It alerts mods/admins of the forum and has a snippet of the post/pm.
William Wolfe

Arantor

There is a huge problem with using the same system as reporting a post - privacy. Many people on a forum can see the reports area, only actual admins can see the PM report.

Which sort of means it needs to stay in the PMs (especially as you can select who it would be sent to.) Trouble is, pretty much anything that you can think of in a PM could potentially be spoofed...

emanuele

Yep, it would need at least a separated page/s, something like that may work:
https://github.com/emanuele45/playpen/compare/pm_report
I was just playing a bit: the text strings should be different from posts and PMs, and something may be broken. O:)

Being the "permission" system based on board ids, having 0 in id_board is enough to exclude anyone that doesn't have admin rights from seeing the reported PMs.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Arantor

Actually, I know how it could be done without having to create a separate page - and in a way that can't be faked.

Send it with a 'guest' account. Guests can't send PMs, so unless the spoof is being sent then the account is deleted almost immediately after, there's no way to even spoof the look.

In fact you could do it in a way that couldn't be done any other way (no sender id, no sender name) and forcibly display that in a different fashion so there's no chance of it being spoofed.

emanuele

Yep, that would be a solution too.

But I'm also thinking about edge cases: for example if a PM is reported and the admin/s change. Let's say there is only 1 admin and while a PM is reported he decide to go and let someone else handle the forum. The report is lost. No way for the new admin to know that a PM was reported unless the old admin forward the PM (that in theory would be borderline about privacy) or the user report the PM again (that would be annoying for the user because he doesn't see any action at first and then he has to report it again).

Yes, very, very uncommon. Probably never happened. Though...

Also having it included in the moderation log would be a way to actually have a record that something happened at some point (unless the log is pruned, of course).

Dunno.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Arantor

Yeah in that case reusing the mod centre reporting code would be better, but I'd rather see it with a proper interface to indicate reported PMs versus reported posts (didn't check your code, you may have done that already)

emanuele

Yep, it's another menu entry in the dropdown (everything else is the same, just a toggle on some queries to be sure to count and return only the PM reports), I just didn't change the text because I'm lazy... :P (ad it was something written quickly O:))


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Arantor

There is one issue in there, though.

One of the original features was to choose the admin you sent it to - obviously this isn't an option now. I've used that in the past if I had what I felt was a legitimate complaint against one admin and wanted to refer it to a different admin.

Advertisement: