Jump to:
| Project: | User protect |
| Version: | 6.x-1.2 |
| Component: | Miscellaneous |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (won't fix) |
Issue Summary
Hi,
I am trying to satisify the desires of my client to have control over their site once it is created and in production, they have in the past had a designer/programmer who kept all control to themselves, OK until the relationship went bad and my client was locked out of his site. Nobody can get access and we are starting again having at least recovered the domain name.
What I want to do is, install Drupal as normal, create user 1, then create an administrators group with permission to do everything except interfere with the user 1 account then add myself and a couple of others to it. When we hand the site over I'll get my client to enter a new password for user 1. With a few similar things setup on the server to protect the directories and database the result should then be that even if we delete the content he should at least still have site access so can delete us if needed or restore from a backup.
To this end I have installed your module created siteowner account (user 1) and a so far a single siteadmin account and placed it in an administrators group. I can block access to the user 1 account, restrict admin access to the this module in fact everything seems to be working OK, but (there is always at least one). If as the siteadmin I go into the modules section I can delete the user protect module and uninstall it even though I cannot administer it, after that all protection is gone and it is possible to delete the user 1 account again.
Is it possible that if a role or user is restricted from administering this module they can also be restricted from deleting it ? I would suggest that we remove our access to the modules when we hand it over but my client doesn't fancy the idea of having to change passwords everytime we need to improve or change anything. IMHO if this module is to offer protection it really does need to protect itself as well.
Regards and thanks for a great module, I'll certianly be using it for other less demanding clients.
Dave
Comments
#1
the module was designed to give limited user admin access, not to take power away from a site admin who's been given a level of permissions high enough to delete modules.
that said, i'm not opposed to a patch that adds the level of protection you're suggesting -- as long as it's well implemented i would consider it for inclusion in the module.
if you're wanting me to write this feature any time in the near future, i suggest you contact me in private to sponsor it -- otherwise it will go on my long list of "stuff i do for free", which has a priority of "when i get around to it" ;)
#2
Hi hunmonk,
Thanks for the quick reply. I would really love to sponsor you but the world the way is now, there just isn't enough cash to go round for now. If things change I'll be in touch as you suggest, meantime I might have a go at it myself. I'm glad you at least think it's worth considering as an idea
Once again thanks for your hard work both sponsored and free.
Take care.
Dave
#3
i've spent some more time thinking about this, and have decided that i will not add this feature to the module -- it's out of scope. the problem is, it's like a cat chasing it's tail. the easiest way to decide if the user can disable the module is to check and see if they have the 'administer userprotect' permission -- but then what if the same user has the 'administer permissions' permission?
what you need to find is a 'Module protect' module -- a more general solution to this issue.