Yesterday I downloaded and played with the Drigg module. Among its features is an option to let a privileged role submit content as a different user. The list of spoof users is also an administration option. The motivation for this is clear... it lets a handful of people easily make a site look like a bustling community. This is great for jumpstarting your Drigg site (which is designed to be a Digg clone), but how ethical is it? Furthermore, don't websites usually do this anyway, just using more labor intensive means such as logging in as different users?
This morning I briefly considered writing a separate module that adds the "Submit as feature". It is very useful for what it does, and fits a different purpose than either the Masquerade or Devel modules, both of which let you switch users. The devel module in particular could easily be used to switch users and submit content using different account names.
The "Submit as" module would take a cue from Drigg, however, and let the administrator define the set of users who can be spoofed. This fits the task at hand much better. The devel module is for developers who need to easily see what the site looks and feels like to various users, and is almost never used on a live site. The masquerade module lets you designate one user account as the test user and certain roles can switch back and forth between their account and the test user, so this is appropriate for customer support and testing. The submit_as module would better fit the purpose of enabling a small number of users the power to simulate a large number of users.
It'd be an easy module to write, and lots of people would use it. Should it be written?
Comments
Actually..
I've developed an account enhancement module, called in_behalf_of, or "sitter", as defined in the final module context for the game framework I'm working on. This module lets users assign account sitters. The sitter can perform almost any operation as the original user, what is the intended use of the module in the game syte.
The sitter user can login using the login username of the sitted account, and it's own password, so there's no need to exchange passwords between users. I had in plan add this module to the contrib list, but i'm a little busy with other developments.
I've included a link to the module if you want to test. It can be conaidered as beta, just to get the idea. Users may define the sitter when editing it's own account. Sitting information is displayed in the user view hook.
As I've used the default users autocomplete callback, for this to work without errors, the user should have permissions to list users (you can remove the autocomplete option of the form if that's not a good idea).
Download link: http://www.drtsg.net/files/in_behalf_of-5.x.zip
Use..
So you are user A going to be a time offline, and you have a friend B, set the user B as your sitter, and user B can login to the system as user A using : A's username, B's password. This way, user B performs operations as being user A, to A's nodes, and pubilishing content as A.
The degree of permissable actions is yet to be defined, what is also planned for the game syte. Sitter should not be able to do any operation, for example, change user password. For this to do right I though about setting a role for the sitted loged in user so permissions can be inherited by the user, but limited by that role, but permissions in drupal are group-added, not limited, so I've another module limiting (denying) permissions. When a user has a permision due to it's role, but also is assigned the limited role, the final permisions are the granted by the default role but not limited by the deny role.
Module should be improved, but as being in test stage I postponed most of the todo tasks for it. I can move up the tasks to get the module published if anybody in interested.
This (the gaming sitter) is
This (the gaming sitter) is certainly a legitimate use of this type of idea. I've seen many gaming sites (in particular) where you can have a 'sitter' account -- useful for people going on vacation who want time sensitive actions performed, and have a buddy they would trust for everything but their password.
There are several modules (or even Drupal itself, as an extreme example) that could be used for deceptive purposes. As long as there are legitimate uses, however, there's no real reason I can think of not to write it (assuming someone wants to go through the bother).
If something's really borderline, the module contributor could maybe put in a message on the administration screen warning of dire consequences. For instance, sending emails with ads in them to people under 13 is a big no-no in the United States. Does that mean we shouldn't have written the Send module? Of course not. Same with the Image module, even though it enables people to easily distribute offensive images.
Aaron Winborn
Advomatic, Web Design for Progressive Advocacy, Grassroots Movements, and Really Cool Causes
Aaron Winborn
Drupal Multimedia (my book, available now!)
AaronWinborn.com
Advomatic
Similar request from client
Two years ago, I was asked by a potential client to write a module that fakes a busy site. See Business ethics: would you have written such a module?
This was a more black and white case, since the sole use of that is to give the false impression that a site is busy. "Submit As" may be more grey, since it can have uses other than just making a site falsely look busy.
Drupal performance tuning, development, customization and consulting: 2bits.com
Personal blog: Baheyeldin.com
Drupal performance tuning, development, customization and consulting: 2bits.com, Inc..
Personal blog: Baheyeldin.com.
Interesting...
I've read in many forum building how to articles that a good way to get your forum off the ground is to write posts under many accounts. I haven't been able to bring myself to do that, though. On my site, I want more than just a false impression of busyness. I wan't an actual communtiy. I'd hate for someone to start getting to know one of my fake personas only to find out they were talking to a lie.
I do, however, have a use for this module. I like to have "my" account be just a normal user or maybe a moderator but not an admin so I'm using the site as a normal person would on a regular basis. However, I spend a lot of time in the admin account as well. Sometimes I want to respond to a post but not go through the effort of changing accounts. If I'm writing the node, I can simply change the author field but that doesn't work for comments. With comments, I have to submit as "admin" and then go back and edit it. That's more work than simply logging in as myself. If this module would let me submit comments as my other account easily, I'd love to have it.
Michelle
See my Drupal articles and tutorials or come check out life in the Coulee Regio
Use case
Ethics aside, there are genuine uses for this.
Running our intranet site, I do a fair amount of posting on behalf of others -- meeting notes in particular -- and I generally tag those users as the author instead of myself.
--
http://ken.therickards.com/
http://savannahnow.com/user/2
http://blufftontoday.com/user/3
--
http://ken.therickards.com/
The Masquerade Module
Seems the masquerade module accomplishes much of this functionality.
...or am I missing something?
I agree the functionality is needed.
Site owners should be responsible for making their own ethical judgements.
Overkill
Masquerade makes it look like you are logged in as that user. That's over kill if you want to stay in your account and just submit a node/comment as authored by another account.
Michelle
See my Drupal articles and tutorials or come check out life in the Coulee Regio
Masquerading will actually
Masquerading will actually log in as that user, which updates the 'user' table and changes the access and login values. This is not an option if you depend on things like the Inactive User module.
Right, and users with
Right, and users with 'administer nodes' can already do this. I presume the contrib module would allow non-privileged users a limited set of the same capabilities.
--
http://ken.therickards.com/
http://savannahnow.com/user/2
http://blufftontoday.com/user/3
--
http://ken.therickards.com/
So maybe I should write it
If there are legitimate uses then you can't help it if people use it for other things. Besides... making your site look busy is not really a sin... it's just somewhat deceptive. I doubt there are many startup sites that don't do this to some extent.
If you can live with yourself :)
If I were evil... and say wanted to make my site look busy and popular and totally relevant to a topic here's what I'd do.
Lets say the site in question was about Drupal (world's most evil CMS)
I would write the following evil module.
Evil.module would, upon install, create a new user role called "Drupalrati"
It would then create several user accounts with a random name generator that on first pass mysteriously created names like: Dries, Unconed, Eaton, Webchick, Walkah, kbahey, chx, robertDouglass, dww, Gábor Hojtsy etc. etc. etc. (don't be offended if you're name isn't on the list - the random name generator plays no favorites)
It would then make all those users members of the Drupalrati role.
Evil.module would implement hook_cron to randomly choose a hand full of usernames from those in the Drupalrati role and post randomly generated content and assign the posts to the users.
Random stuff like:
While evil.module is posting bogus content anyway- it might as well post bogus content for me too - to ya'know make me look extra 'tight' with the Drupalrati. On cron it would post replies under my username... fun stuff like
When word gets out that this is the site where all the 'cool' Drupal folks hang out to talk Drupal... people will flock to the site desperate to create an account. Evil.module would then play the role of 'bouncer' or 'doorman' and put up a velvet rope. It would randomly deny people accounts (you know to create the illusion of exclusivity).
And in no time drupalforevil.com (yeah .com - this is a money maker) will be the most popular drupal site on the planet.
andre
Hmmmm
Hmmm.
I guess I know whom to hire when I become an evil overlord.
But we should not make any of those mistakes.
Drupal performance tuning, development, customization and consulting: 2bits.com
Personal blog: Baheyeldin.com
Drupal performance tuning, development, customization and consulting: 2bits.com, Inc..
Personal blog: Baheyeldin.com.
On some projects we have
On some projects we have clients who live in their email and others who are using RSS and the extranet for updates. For the latter group, being able to "Submit as..." to add content on behalf of the former group would be great.
Changing authoring
Changing authoring information covers most of this doesn't it? I think what you really want to do is get comments as nodes into core so the option is available for those as well ;)
OG and email subscriptions
When OG emails out new posts to a group's subscribers, it attributes the original poster and not the new author. I think that using the Job Queue module changes this.
The issue here, I think, is that for author information to be modifiable by a user, that user needs 'administer nodes' or 'administer comments' permissions. This is way too much power in some situations. (Comments being nodes isn't necessary since editing a comment with an account with 'administer comments' permissions reveals an "Administration" fieldset.)
Impersonate User
As we are discussing this, someone committed an "Impersonate User" module.
Add that to the mix of what is out there.
Drupal performance tuning, development, customization and consulting: 2bits.com
Personal blog: Baheyeldin.com
Drupal performance tuning, development, customization and consulting: 2bits.com, Inc..
Personal blog: Baheyeldin.com.
Actually
Actually I wrote Impersonate User module partly for the reason that client wanted to replace several busy but key members of the site with several article writers. Another reason was to enable tech. support to impersonate user with potential problem and by doing that detect potential issues more easy. We could not permit tech support to use either devel or Masquerade because they would give too much power to them. This way they can impersonate only certain roles.
Kaniš li pobjediti ne smiješ izgubiti.
Image Management vs Deception
I think the point to remember is that upon close examination, you will NEVER be able to draw a completely objective line between "Image Management" and "Deception". This is true not only of companies and websites, but of every human being who has ever spoken with another. We call it the "Persona" and it is an artificial construct. Granted, most of this deception is benign, unconscious, or at least culturally accepted, but it is unavoidable.
Seen in that light, it's obvious that there can be no hard-and-fast rule. All the questions come down to the actual case at hand, the actual people involved, and the relationships between them. Who is the deceiving party? Who is the deceived? What is the intent? ( <- this is where karma comes from) What is the harm? And how do you feel in your gut about this particular case?
The creation of such a module for a single site would (and should!) raise such ethical question for the site's developer. In creating and distributing a Module with this same set of functions, you would be distributing the ethical questions as well. Some people would immediately understand this, and they would intuitively ask themselves anyway, each time they considered using the thing. But others would never see the ethical questions at all, and would rush happily along, applying the module to every site they built. Aren't these the same people who don't care about their karma anyway? Your only responsibilty really is to point out that there ARE ethical concerns, and that all cases vary. After that, you have done your job.
By the way, it seems to me that since there are only so many hours in a day, the sheer amount of content a person can create via fake postings still equals their output under a single name. The result is (the appearance of) a population that is wide, but not very deep. I guess that means that using such a module might actually be of tactical benefit only when done shortly before an expected spike of new traffic.
LVX
TF
So how DOOO you jump start?
Funny thread. Guilty of doing this on phpBBnow and forums in the past, where log in and out is easy, for benign reasons. I'm new to Drupal. Just looking at modules for the moment. Is it hard to create multiple personalities and log in and out of drupal?
James Carvin
Thank you for your help!
James Carvin
Thank you for your help!
Not at all
Just create a few users. Logging in and out isn't hard and you can use the masquerade module if you want to make it even easier.
Michelle
See my Drupal articles and tutorials or come check out the Coulee Region
Thanks, and here is one other question
Great. Now I wonder if anyone could help me set up my news site. I took it off line when I put the node at the root at http://www.supermarketgreennews.com but I have quite a few articles written, which you can explore at http://www.supermarketgreennews.com.index.html
First I need to load on all the previous posts. Everything is in HTML, but there is a lot of good stuff, which I want to turn into not just a news, but information source site for supermarket executives, investors, contractors and suppliers and such.
All I'm doing at this point is converting to drupal from html. I need the old articles to reflect the authors and dates. One of the editors is a pseudonym already. (It's standard in the industry, not deceptive, to do that. No, I am not the evil green monster). I expect more to do ghost writing and use fictitious names as the number of journalists increases. And I also need to take articles submitted from people who aren't members, format it correctly and load it up, creating fictitious memberships on their behalf.
So the personality thing is not an issue morality-wise. And all I have to do is create another journalist profile member, it seems. My question is how do I control the time/date stamp function to reflect the original publication/submission date?
James Carvin
Thank you for your help!
James Carvin
Thank you for your help!
..
If you add the article as an admin, you have access to change both the author and post date/time. Just edit those to what you need it to be.
Michelle
See my Drupal articles and tutorials or come check out the Coulee Region