administer permissions bypass
jasonabc - June 30, 2009 - 02:11
| Project: | User Protect |
| Version: | 6.x-1.2 |
| Component: | Miscellaneous |
| Category: | bug report |
| Priority: | critical |
| Assigned: | jasonabc |
| Status: | closed |
Jump to:
Description
Hi - I installed this to protect the Drupal superuser account (user #1) from being deleted by any role I have defined in my "Roles" area. It works great - but I've noticed that giving any role rights to "administer permissions" automatically gives that role rights to then "administer user protect".... Which means anyone assigned to that role can access the User Protect module, remove the protection around User 1 and then delete User 1.....
The only way I can see around this is making the superuser the only account on the site that can administer permissions.
Any ideas?
thanks!
Jason
#1
yes, you should only give trusted users that permission. you can also try http://drupal.org/project/roleassign to allow some users limited access to grant certain roles -- userprotect was written to be compatible with this module, hopefullly the 6.x version still is... ;)
#2
awesome - will check it out - thanks!
#3
Automatically closed -- issue fixed for 2 weeks with no activity.