Download & Extend
Drupal for Facebook » Issues

How to avoid moderators to login as global admin

Posted by warmth on January 9, 2013 at 11:18pm
Project:Drupal for Facebook
Version:7.x-3.x-dev
Component:Facebook Connect
Category:support request
Priority:major
Assigned:Unassigned
Status:active

Issue Summary

Usually moderators have access to all the social networks because they manually publish information there. Now that my Facebook account is connected my global admin account of my Drupal site, any of my moderators will be able to enter as global admin by just clicking in the Facebook sign-in button and entering the Facebook credentials.

What can I do to avoid this situation?

Same happening with Twitter here: #1884714: How to avoid moderators to login as global admin

Login or register to post comments

Comments

#1

Posted by Dave Cohen on January 12, 2013 at 1:53am

Sharing your facebook credentials sounds like the first problem. I'd stop doing that.

Also, I'd avoid connecting your facebook account to the drupal admin account. I recommend logging into facebook in one browser and administering drupal from another.

#2

Posted by warmth on January 12, 2013 at 12:51pm

I think you misunderstood the whole point. I'm not sharing my personal credentials but the ones of the Twitter and Facebook Page/App regarding to the website. The website has moderators that control the social media of the site, they must have the credentials to be able to to send messages to Facebook and Twitter.

Those credentials are the same connected to the site as App Keys providers so if they use them to enter to the site they will enter as global admin instead of sign-in with their moderator accounts. So the problem is that I don't want to allow them to have access to the global admin because that way they can modify permissions or mess things up.

IMHO, an option to disable the Facebook login to the global admin should be given so if you try to enter with that Facebook or Twitter account you will be denied to login.

Note: I'm talking about Twitter because I'm having the same issue with the Twitter module as I said in my first post, even if is off-topic it's just to illustrate the problem.

#3

Posted by Dave Cohen on January 15, 2013 at 1:46am

Are you logged into facebook as the page, and not as your user? Then you go to the drupal site, log in and it maps the accounts together?

Agreed there should be a way to prevent admin accounts from ever being mapped to facebook accounts. And if the answer to the above questions are yes, it sounds like fb_user should also test whether the user is actually a user before mapping accounts.

#4

Posted by warmth on January 15, 2013 at 1:28pm

The answer is yes.

nobody click here