This module allows fine-grained access control of user administrators, by providing various editing protection for users. The protections can be specific to a user, or applied to all users in a role.
Note: Up until the D7 version, User Protect has a complicated configuration -- please take the time to read the very extensive module help before using it!
Provided protections
The following protections are supported:
- Username
- E-mail address
- Password
- Status
- Roles
- Edit operation (user/X/edit)
- Delete operation (user/X/delete or user/X/cancel)
Additionally, the following protections are supported in 7.x-1.x and earlier:
- OpenID identities
How it works
There are two types of protection rules:
-
User based protection rules
These apply to a single user. -
Role based protection rules
These apply to all users that have that role.
A protection rule prevents any user to perform the selected editing operations (such as changing password or changing mail address) on the specified user. There are two exceptions in which a configured protection rule does not apply:
-
The logged in user has permission to bypass the protection rule.
In Drupal 8, this can be configured with an user permission. In Drupal 7, by adding a bypass rule at /admin/config/people/userprotect/administrator_bypass (for one specific user) or by changing the "Administrator bypass defaults" at /admin/config/people/userprotect/protection_defaults (for all users, except the ones for which a bypass rule exists). -
The specified user is the current logged in user.
Protection rules don't count for the user itself. Instead, there are permissions available to prevent an user from editing its own account, username, e-mail address or password.
Protected fields will be disabled or hidden on the form at user/X/edit. The edit and delete operations are protected by controlling access on the paths user/X/edit and user/X/delete.
The protections also apply on bulk operations provided by Drupal core and (for Drupal 7 only) on bulk operations provided by Views Bulk Operations.
No protection to the role itself, only to users in the role
User protect does *not* limit an user in assigning/revoking certain roles in general. A role based protection rule only limits access to users that currently have that role. It does not protect the role itself. For limiting the roles that can be assigned/revoked, try the RoleAssign module or the Role delegation module.
Compatibility
The module is compatible with the following modules:
- RoleAssign
- Views Bulk Operations (D7 only)
For compatibility with the Role Delegation module, there is an issue: #1984520: "User Role Delegation" module overrides User Protect settings, but I would like the opposite behavior.
Similar modules
See https://drupal.org/node/980082 for a comparison of user edit protection modules.
Authors, maintainers
Versions 4.7.x-1.x - 7.x-1.x were written by Chad Phillips.
Version 8.x-1.x is written and maintained by MegaChriz.
Project information
- Maintenance fixes only
Considered feature-complete by its maintainers. - Module categories: Access Control
- 17,982 sites report using this module
- Created by hunmonk on , updated
- Drupal 10 is here!
The 8.x-1.x-dev version passes tests on D10! Needs manual testing to ensure full compatibility. See also #3290312: Automated Drupal 10 compatibility fixes.
- Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
Drupal 10 support
Development version: 8.x-1.x-dev updated 10 Dec 2022 at 10:35 UTC
PHP 7.3 support and VBO 7.x-3.4+ support
Development version: 7.x-1.x-dev updated 3 Apr 2019 at 16:53 UTC