Setting up SSL for secure logins is easier and much more secure.
People without SSL might try what Matt described.
(2011-04-03, 10:50 PM)Uncontrol Wrote: [ -> ]That is an incredibly specific and uncommon scenario...
How can you tell it is so uncommon.
(2011-04-04, 12:00 AM)seeker Wrote: [ -> ]How can you tell it is so uncommon.
This is one of those situations where I feel it's safe to come to that conclusion without hard numbers. I've never heard of anyone doing this, and I suspect those who do are in a very small minority.
(2011-04-04, 03:41 AM)Uncontrol Wrote: [ -> ] (2011-04-04, 12:00 AM)seeker Wrote: [ -> ]How can you tell it is so uncommon.
This is one of those situations where I feel it's safe to come to that conclusion without hard numbers. I've never heard of anyone doing this, and I suspect those who do are in a very small minority.
You are probably right.
#
The irony is that people who do it (for security) are not going to talk about it, and you won't have any way to tell.
// Use SSL for secure login
I've seen quite a few people do it. And even if it's not commonly used, it would still need to be possible somehow for the people that do want to do it, and putting it in some out-of-the-way place away from the other usergroup settings wouldn't make much sense. We could put a popup alert in telling people what it will do, but after being here for nearly 3 years, one thing that's become apparent is that people don't read warnings like this, people would still do it. If people remove ACP access without reading what the setting actually is or taking two seconds to realise that it will mean they won't be able to access the ACP, then they should take more time to think about what they're doing before changing settings. There's lots of things that are settings but that you hardly, if ever, need to change; Board URL, cookie settings, but people still change these for no reaso, not knowing why they think they need to change them or what they should be set to, and then still end up kicking themselves out of their forum. People still create usergroup promotions that end up demoting admins even though you have to manually select the admin group as the original usergroup. There's only so much we can do to stop people doing things like this.
However, having said all that... adding something such as stopping people removing ACP access if there's no other groups with ACP access, or stopping people removing themselves from the admin group if there's no other admins, is something I'll look at adding to a future release.
There should at least be some message like,
"YOU ARE ABOUT TO REMOVE ADMIN ACCESS FROM THE ADMINISTRATOR GROUP. ARE YOU SURE?"
"REALLY?"
But you're right that people do mistakes like this all the time.
There's a popup message on the installation script if you try to install over an existing forum, it's in capital letters saying you will erase your forum and it cannot be undone, and there's still threads here with people saying they've run the install script instead of the upgrade script, having ignored this error. It's Murphy's Law; if something can go wrong, it will. Physically stopping people doing this if there isn't still one user/usergroup with ACP access is probably the only foolproof solution.