Thanks for creating this very useful module. I hope I'm not sounding a false alarm here - please feel free to correct me if I'm wrong.

I've examined the cron code, and it appears that it is possible for this module to block / delete UID == 1 (admin user) on cron runs, under these circumstances:

  • Admin user hasn't accessed site in the time defined by inactive_user_auto_delete variable (very possible - I never log in as the admin user on any of my sites, unless absolutely necessary)
  • if inactive_user_preserve_content variable is set, Admin user has never posted any content (this is possible!).

In particular, if you enable this module on an older site, and configure it to delete inactive users, it is possible that the admin user (uid==1) can be deleted on the next cron run if the admin user hasn't logged in in a while - the deletion takes place on the same cron run as the warning/reminder emails being sent, so there is, in effect, no grace period or other sanity checking on first cron run after installing/configuring this module.

In any case, at a minimum, I think that this module should ensure that it never blocks/deletes UID == 1 from the db tables in any code that performs a "delete from {users} where ..." db_query call.

Ideally, it would be nice to be able to configure this module to never warn/block/delete UID==1, and any users who are members of selected roles. (IOW, define a list of protected roles). But that's a feature request for another day.

Comments

Crell’s picture

Status: Active » Fixed

Hm, right you are. Deleting uid 1 is bad. :-) I've tweaked the cron hook to exclude uid 1 from everything, so the admin should never be affected. I like the idea of a "protected roles" concept, too, but that should be filed as a separate feature request.

Committed to 4.7. Thanks.

Anonymous’s picture

Status: Fixed » Closed (fixed)