The attached patch prevents editing email & password fields on user/1/edit for everybody except user/1.

"Administer Users" is a very useful permission, but unfortunately provides users with an opportunity to become the superuser. I would like to re-implement the D5 feature of paranoia.

It is recognised that contrib modules regularly implement extra php permissions. Becoming user/1 gives the user the ability to execute php via these modules.

CommentFileSizeAuthor
#1 paranoi_edit_user1.patch1.26 KBsime
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

sime’s picture

sime
any/any
Location Melbourne
CreditAttribution: sime commented
FileSize
paranoi_edit_user1.patch1.26 KB
dddave’s picture

dddave CreditAttribution: dddave commented
Status: Active » Needs review
Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Needs review » Reviewed & tested by the community

Applied this to drupal.hu and it works fine.

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented
Status: Reviewed & tested by the community » Fixed

Thanks, patch applied.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.