Index: modules/user/user.admin.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.admin.inc,v retrieving revision 1.33 diff -u -p -r1.33 user.admin.inc --- modules/user/user.admin.inc 16 Nov 2008 15:10:49 -0000 1.33 +++ modules/user/user.admin.inc 12 Dec 2008 20:41:30 -0000 @@ -184,6 +184,8 @@ function user_admin_account() { $form['last_access'][$account->uid] = array('#markup' => $account->access ? t('@time ago', array('@time' => format_interval(REQUEST_TIME - $account->access))) : t('never')); $form['operations'][$account->uid] = array('#markup' => l(t('edit'), "user/$account->uid/edit", array('query' => $destination))); } + // don't display a checkbox for user #1 as it is undeletable. + unset($accounts[1]); $form['accounts'] = array( '#type' => 'checkboxes', '#options' => $accounts Index: modules/user/user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.module,v retrieving revision 1.944 diff -u -p -r1.944 user.module --- modules/user/user.module 29 Nov 2008 09:33:51 -0000 1.944 +++ modules/user/user.module 12 Dec 2008 20:41:31 -0000 @@ -1572,10 +1572,17 @@ function _user_edit_submit($uid, &$edit) /** * Delete a user. * + * @note You can't remove user #1 * @param $edit An array of submitted form values. * @param $uid The user ID of the user to delete. */ function user_delete($edit, $uid) { + // User #1 can't be deleted + if ($uid == 1) { + drupal_set_message(t('Failed to delete user: This user is the superuser or root administrator, and cannot be deleted.'), 'error'); + return; + } + $account = user_load(array('uid' => $uid)); drupal_session_destroy_uid($uid); _user_mail_notify('status_deleted', $account); Index: modules/user/user.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.pages.inc,v retrieving revision 1.24 diff -u -p -r1.24 user.pages.inc --- modules/user/user.pages.inc 24 Nov 2008 00:40:45 -0000 1.24 +++ modules/user/user.pages.inc 12 Dec 2008 20:41:31 -0000 @@ -238,7 +238,8 @@ function user_profile_form($form_state, $form['_category'] = array('#type' => 'value', '#value' => $category); $form['_account'] = array('#type' => 'value', '#value' => $account); $form['submit'] = array('#type' => 'submit', '#value' => t('Save'), '#weight' => 30); - if (user_access('administer users')) { + // don't show delete button for user #1 as it is undeletable. + if (user_access('administer users') && $account->uid != 1) { $form['delete'] = array( '#type' => 'submit', '#value' => t('Delete'), Index: modules/user/user.test =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.test,v retrieving revision 1.22 diff -u -p -r1.22 user.test --- modules/user/user.test 25 Nov 2008 13:14:29 -0000 1.22 +++ modules/user/user.test 12 Dec 2008 20:41:31 -0000 @@ -193,6 +193,41 @@ class UserDeleteTestCase extends DrupalW } } +class UserRootAdminNoDeleteTestCase extends DrupalWebTestCase { + function getInfo() { + return array( + 'name' => t('Deny user #1 deletion'), + 'description' => t('Assure that user #1 can\'t be deleted'), + 'group' => t('User') + } + } + + /** + * Tries to delete the root, which should be impossible + */ + function TestRootAdminNoDelete() { + $rootadmin = user_load(1); + $this->drupalLogin($rootadmin); + + // edit user page + $this->drupalGet('user/1/edit'); + $this->assertNoRaw('value="' . t('Delete') . '"', t('Make sure the delete button doesn\'t get displayed on user/1/edit')); + + // admin interface + $this->drupalGet('admin/user/user'); + $this->assertNoRaw('name="accounts[1]"', t('Make sure you can\'t select user #1 for deletion on admin/user/user')); + + // direct link + $this->drupalGet('user/1/delete'); + $this->drupalPost(NULL, NULL, t('Delete')); + $this->assertText(t('Failed to delete user: This user is the superuser or root administrator, and cannot be deleted.'), t('Make sure it gives an error while trying to delete user #1')); + + // even pure php shouln't allow it. + user_delete(1); + $this->assertTrue(user_load(1), t('User #1 is found in the database')); + } +} + class UserPictureTestCase extends DrupalWebTestCase { protected $user; protected $_directory_test;