Hello,

I am the business owner of a multi-site drupal websites (not that technical myself so pardon my teminology)

I wanted to ask about how to ensure I have primary and complete control over my drupal sites and content.

A developer has developed the sites, and I am in a situation where I need to block their access and control for any malicious, destructive actions.

Some notes:

1: I have root level access at the host level
2: I have only user access at drupal login. (I can not even see a list of users / add or delete a user)

I assume there is some backend way to do it?

And not to sound completely paranoid, but how do you make sure they have not left themselves a "way in". That being said a good hacker could probably get in anywhere.

I appreciate your help in advance.

Thanks,
Sam

Comments

matt blaine’s picture

If you know the username of the main admin account (users table with uid of 1) you could reset the password for that user - http://drupal.org/node/302409

If you have database access directly through phpmyadmin or other you could also set the admin users email address to your own and then go to site.com/user/password and request a new one

drupalhopeful’s picture

Thanks Matt,

I dont know the main admin account username.

I dont know how to do your second option, but it sounds like to would solve it.

And I assume as long as I maintain secure control of the hosting (ie the database) then nobody else would be able to do the same, correct?

Also, as far as admin access goes. If I give a developer an admin user account, and have an admin user account myself, how do I maintain supremacy on the access? Is there something like superadmin?

Could you suggest someone who can help me to do this?

Thanks

matt blaine’s picture

you could do something similar from http://drupal.org/node/302409#comment-1002755

(edited for mistakes SET mail not SET email and not sure what init may be used for but is the original email used for account so change that also)

$query = "UPDATE {users} SET mail='your@email.com', init='your@email.com' WHERE uid=1 LIMIT 1";
db_query($query);
echo 'done';
exit();

this way you would then be able to do the password recovery for uid #1 which is the only superadmin and you should always try and keep for yourselves.

If you need other admin accounts I'd create a role that has all the permissions needed and then assign the user to that role.

drupalhopeful’s picture

Matt,

Thanks for your reply. Some things I would like to confirm if you can let me know:

1. So if I have uid#1 login for drupal and also root level superadmin control of the hosting (ie access to the database directly) then I would have complete control over who has access, and can shut off peoples access?

2. If I have another admin that has uid#1, will they have the same capability? Or would I want to make all other admins uid#2, and set permissions as you described? Bascially I can give all permissions EXCEPT creating and deleting users?

3. As a non technical person, who does not know what do do with a database or php, could you recommend someone who can help me do this?

Thanks again for all your help

canyonbreeze’s picture

If you have phpmyadmin installed on your server you should be able to do it. Or the administrator of your server can.

In phpmyadmin you open your drupal database, go to the table 'users' or 'drupal_users' and look for 1 in the uid column. There you will see the name, email and an MD5 hash of the superadmins password. You can use an online MD5 hash generator to get the code for whatever password you want then replace the one in the database. Or replace the email address then request a new password.

http://md5-hash-online.waraxe.us/

dambrisco’s picture

Generally speaking, most web developers aren't looking to undermine their clients. Unless you had a falling out, I wouldn't worry about much - even in the case of a falling out, most developers would rather be able to use you and your sites as a reference for future work.

Of course, if you trusted human nature, you probably wouldn't be looking for a way to lock your developer out. Personally, depending on how much maintenance your sites are going to need, I'd suggest hiring a trustworthy developer on to your staff.

drupalhopeful’s picture

I agree, and wish that it was the case.

We do trust. Sometimes employees are still escorted out the door when let go. Why? To not take chances. Its just more comfortable to know for sure.
Anyways, I am looking to have a good, reasonable, honest developer for maintenance, updates, new features etc.... I guess I have had some bad luck, but am hoping for good luck.

I thought Id post a couple projects in the jobs section.

If you know anyone let me know:)

drupalhopeful’s picture

BTW - is there anyway to get emails when someone replies to a forum posting?