According to http://drupal.org/node/32669, the "administer users" permission was created to allow certain roles to manage users without being able to change the access control or roles, and promote themselves.

However, nothing is stopping them from changing the password or E-Mail address on UID 1, and then logging in as the superuser, as pointed out in http://drupal.org/node/39392.

This patch corrects that by only allowing UID 1 to edit UID 1.

CommentFileSizeAuthor
usermodule.patch1.79 KBSteve Simms

Comments

Steve Simms’s picture

Status: Active » Needs review
Crell’s picture

Status: Needs review » Closed (duplicate)

This is a dupe. :-)

http://drupal.org/node/39636

Steve Simms’s picture

Aha. Ok, I might argue the resolution, but I can't argue that it isn't a duplicate. :-)

Oh well. It makes sense to me, so I'll keep it in my version.

Thanks!
Steve

sangamreddi’s picture

Looking for this solution. I'll test it report back here.

Crell’s picture

Actually I'd much rather see that patch (or this one, they're very similar) go in. I mentioned it in another thread as well. UID 1 should be extra-safe from others, because it's the site owner's trump card.

If you can think of a way to convince Dries, please share.

the1who’s picture

Version: x.y.z » 6.6
Category: bug » support

Has this been resolved with 6.6 version?

Or is this something I still need to apply a patch to?

edit: I mean, this is a really outdated support request, but I am figuring that if this was back in 2006, it most likely is included, but I wanted to ask first to make sure before i open up my moderators to help with user registration. Thanks!

Thanks in advance.

Matt