Forum OpenACS Q&A: How Admin-do should work
- Drop my admin privilege for now, until I tell you otherwise.
- Turn on my admin privileges today (for X hours). [Requires password.]
By default, when an Admin logs in, he should have only the privileges of a normal user, because most Admins are also normal users of the site, and are usually logging to use the site, not to immediately start doing protected Admin activity. However, you might as well give Admins a checkbox on the log-in screen, defaulted to off, which says, "Enable my Admin privilige immediately, for the next 10 minutes."
Probably, when an Admin tries to do an admin-thing the system should ask him for his password and implicitly push a "Turn on my admin privileges for the next 10 minutes" button for him. However, it wouldn't be so bad just to deny the action and give him link to the "turn on my Admin privileges" page instead.
But if an Admin needs to, he should be able to explicitly enable - and leave enabled - his Admin-ness for some longer period of time. Depending on the site, this time should probably 1 to 24 hours.
And of course, very preferably, the "10 minutes" expiration time, just like with sudo, should be counted from the last successful Admin operation, not from the time it was turned on. This means if an Admin is admining away feverishly for 3 hours, the "10 minute" time will never expire until he's done. It's not absolutely critical, because an Admin should always be able to just explicitly turn on his privileges for longer instead, but actual real-world security will probably be better with the smart "timeout clock starts from last admin operation" feature.