Can someone with administer users permissions lock out the admin by changing their password?
I've searched the forums, but couldn't find a definitive answer.
In addition to myself, I've given one (extremely trustworthy) person permissions to "administer users". I know that when I go to edit any users account, one of my available tasks is to reset their passwords, simply by entering the new password into each of the boxes and pressing submit. This got me thinking, though -
What if I were to have a falling out with my co-moderator? Could they conceivably lock me out of my own site by changing my password (and email address) without my knowledge?
I know there's a workaround to get into a locked out admin account, so I know I could get back in again (they don't have permissions to change permissions), but it would be terribly inconvenient. Especially if they had also changed the email address associated with the admin account.
Is there some built-in safeguard to prevent the admin account password from being reset by someone else who can edit user accounts? If not, maybe there should be. Something along the lines of an email that the admin has to respond to (or click a link in), letting them know that a request to change user 1 was made and it needs to be verified.
If I get you right, I think
If I get you right, I think a relatively simple solution is to create a new role via /admin/user/roles, say called senior moderator & the define via ... /admin/user/access, what he can to do, and nothing more. Pay attention to what u allow under the users module. He does not need to have all rights the moderator has!
Actually, the only thing she
Actually, the only thing she can do (administration wise) is administer users. I just want to know if that means they would also be able to administer the adminster account (user 1).
I didn't see anything in the permissions settings that would allow me to restrict her user administration activities to only certain roles. It seems to be an "all or nothing" permission, allowing anyone with the administer users permissions to administer ANY user - even the administrator!
This couldn't possibly be right, could it>
"If you've ever owned a dachshund, no explanation is necessary...
If you've never owned a dachshund, no explanation is possible"
(with apologies to St. Thomas Aquinas)
I agree, in the world of
I agree, in the world of paranoid sysadmins; This couldn't possibly be right, could it??
I would like to give certain users the right to add/edit other users, not the ability to break
my own legs (or change my timezone for that matter)
New to drupal I would like to know how it is done, pardon me for being stupid
but I cant get it... :)
You are right
I have the same problem, I am preparing a site for a customer, giving him the users administration permission, with a special user "webmaster" that can do many things but not everything.
I don't want him to be able to modify the "admin" user, nor to see it if possible.
May be the only way, at the moment, is to edit some file.
Just to try edit page.tpl.php of your templates and put this at the start:
<?phpglobal $user;
if ($_REQUEST["q"]=="user/1/edit" && $user->uid!=1) {
die("Access denied");
}
?>
Then try to edit the admin account.
It's a test, do not use in a production site.
Message 'Access denied' not themed
The above code didn't work for me in drupal 5.1.
The code below works in drupal 5.1.
But I wonder how I can show the message 'Access denied' within the theme. Now the message is shown on an empty white page.
Thank you.
<?phpglobal $user;
if ((arg(0) == 'user') && (arg(1) == '1') && (arg(2) == 'edit')){
die("Access denied");
}
?>
This code blocks everyone...
Yours idea was brilliant, but this last code of Daulie blocks even the admin...
To give user/1 the right to edit its own profile, you have to add "&& $user->uid!=1". See below:
<?phpglobal $user;
if ((arg(0) == 'user') && (arg(1) == '1') && (arg(2) == 'edit') && $user->uid!=1){
die("Access denied");
}
?>
For my site I'd like to kick the insubordinate user back to the front page, without any messages to him, but writing a warning message in the watchdog.
I use this code at the beginning of page.tpl.php:
<?phpglobal $user;
if ((arg(0) == 'user') && (arg(1) == '1') && (arg(2) == 'edit') && $user->uid!=1){
$message = "Access denied to edit admin's profile";
watchdog($type = "access denied", $message, $severity = WATCHDOG_WARNING, $link = NULL);
header("Location: $base_path");
}
else {
?>
...and at the end of page.tpl.php...
<?php } ?>GD
what about deleting admin
I used the code above and it worked great. But I notice users with admin access can delete user 1. Anyway to stop this?
paranoia module
Check the paranoia module
http://drupal.org/project/paranoia
userprotect module
check the userprotect module: http://drupal.org/project/userprotect
Leaving the module default settings will do exactly what you want! By default, it blocks the edition/deletion of the admin user (except for the admin itself). hope this helps.
NOT working!!!
I have no idea why the user protect module does not work!!! I have set the administrator and user1 as protected, so no one edits their details, but evryone who can access the user list can edit the user1 and amin's details....This is very annoying:(...
Thanks to any one who can respond please..
Sorted
I reinstalled the user_protect module and it worked...It must have been because i made some changes to it. So the default works well.