Download & Extend
Paranoia » Issues

re-implement locking of user/1 direct editing

Posted by sime on October 26, 2009 at 6:53am
Project:Paranoia
Version:6.x-1.x-dev
Component:Code
Category:feature request
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

The attached patch prevents editing email & password fields on user/1/edit for everybody except user/1.

"Administer Users" is a very useful permission, but unfortunately provides users with an opportunity to become the superuser. I would like to re-implement the D5 feature of paranoia.

It is recognised that contrib modules regularly implement extra php permissions. Becoming user/1 gives the user the ability to execute php via these modules.

Login or register to post comments

Comments

#1

Posted by sime on October 26, 2009 at 6:53am
AttachmentSize
paranoi_edit_user1.patch 1.26 KB

#2

Posted by dddave on January 26, 2010 at 2:50pm
Status:active» needs review

#3

Posted by Gábor Hojtsy on June 8, 2010 at 10:47am
Status:needs review» reviewed & tested by the community

Applied this to drupal.hu and it works fine.

#4

Posted by killes@www.drop.org on June 8, 2010 at 2:23pm
Status:reviewed & tested by the community» fixed

Thanks, patch applied.

#5

Posted by System Message on June 22, 2010 at 2:30pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.