document security threat of permission 'administer users '
| Project: | RoleAssign |
| Version: | HEAD |
| Component: | Documentation |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
I recently stumbled upon the fact that users with permission 'administer users' can administer *all* users, including admin. So, if you are setting up a site for a client and trying to give them ability to create users, you are also giving them the ability to change the admin password or worse, completely delete the admin user (user 1).
This issue is documented more here:
- #46149: Prevent account cancellation for uid 1
- Can someone with administer users permissions lock out the admin by changing their password?
- How to disable deletion of user with ID 1
Since this module requires that some users be given the 'administer users' permission, it would be helpful to some kind of warning and advice. How about adding
Warning: granting 'administer users' permissions to users will allow them to modify the admin password or even delete the site administrator account. We strongly encourage you to use the User Protect module to prevent this.
to the project page and module help text?