? sites/default/files
? sites/default/settings.php
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.944
diff -u -p -r1.944 user.module
--- modules/user/user.module	29 Nov 2008 09:33:51 -0000	1.944
+++ modules/user/user.module	15 Dec 2008 03:03:07 -0000
@@ -1572,10 +1572,17 @@ function _user_edit_submit($uid, &$edit)
 /**
  * Delete a user.
  *
+ * @note User #1 cannot be deleted
  * @param $edit An array of submitted form values.
  * @param $uid The user ID of the user to delete.
  */
 function user_delete($edit, $uid) {
+  // Don't allow deletion of user #1
+  if ($uid == 1) {
+    drupal_set_message(t('Failed to delete user 1: This user is the superuser or root administrator, and cannot be deleted.'), 'error');
+    return;
+  }
+
   $account = user_load(array('uid' => $uid));
   drupal_session_destroy_uid($uid);
   _user_mail_notify('status_deleted', $account);
Index: modules/user/user.pages.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.pages.inc,v
retrieving revision 1.24
diff -u -p -r1.24 user.pages.inc
--- modules/user/user.pages.inc	24 Nov 2008 00:40:45 -0000	1.24
+++ modules/user/user.pages.inc	15 Dec 2008 03:03:07 -0000
@@ -238,7 +238,8 @@ function user_profile_form($form_state, 
   $form['_category'] = array('#type' => 'value', '#value' => $category);
   $form['_account'] = array('#type' => 'value', '#value' => $account);
   $form['submit'] = array('#type' => 'submit', '#value' => t('Save'), '#weight' => 30);
-  if (user_access('administer users')) {
+  // User 1 cannot be deleted so we don't display the delete button.
+  if (user_access('administer users') && $account->uid != 1) {
     $form['delete'] = array(
       '#type' => 'submit',
       '#value' => t('Delete'),
Index: modules/user/user.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.test,v
retrieving revision 1.22
diff -u -p -r1.22 user.test
--- modules/user/user.test	25 Nov 2008 13:14:29 -0000	1.22
+++ modules/user/user.test	15 Dec 2008 03:03:08 -0000
@@ -193,6 +193,98 @@ class UserDeleteTestCase extends DrupalW
   }
 }
 
+class UserRootAdminNoDeleteTestCase  extends DrupalWebTestCase {
+  function getInfo() {
+    return array(
+      'name' => t('Deny user #1 deletion'),
+      'description' => t('Tries to delete user #1, only to be disallowed'),
+      'group' => t('User')
+    );
+  }
+
+  /**
+   * Checks if the delete button for user #1 is not visible.
+   */
+  function deleteButtonMissing() {
+    // Try the edit user page for the delete button
+    $this->drupalGet('user/1/edit');
+    $this->assertNoRaw('value="' . t('Delete') . '"', t('Delete button should not appear on user/1/edit'));
+  }
+
+  /**
+   * Tries to delete user #1 trough the direct delete link, and checks for error message.
+   */
+  function directLinkDisabled() {
+    $this->drupalPost('user/1/delete', NULL, t('Delete'));
+    $this->assertText(t('Failed to delete user 1: This user is the superuser or root administrator, and cannot be deleted.'), t('User #1 should not be deleteable trough the direct link.'));
+  }
+
+  /**
+   * Tries deletion of user #1 trough the mass deletion form, and checks for error message.
+   */
+  function massDeleteHandling() {
+    $edit = array('sort' => 'desc', 'order' => 'Member+for');
+    $this->drupalGet('admin/user/user', $edit);
+    $edit = array('operation' => 'delete', 'accounts[1]' => '1');
+    $this->drupalPost(NULL, $edit, t('Update'));
+    $this->drupalPost(NULL, NULL, t('Delete all'));
+    $this->assertText(t('Failed to delete user 1: This user is the superuser or root administrator, and cannot be deleted.'), t('User #1 should not be deleteable trough the mass deletion form.'));
+  }
+
+  /**
+   * Test failure to delete root administrator as root administrator
+   */
+  function testDeleteRootAdminSelf() {
+    // login as root administrator.
+    $this->rootAdminLogin();
+
+    $this->deleteButtonMissing();
+    $this->directLinkDisabled();
+    $this->massDeleteHandling();
+  }
+
+  /**
+   * Test failure to delete root administrator as another administrator
+   */
+  function testDeleteRootAdminOther() {
+    // login as another administrator.
+    $this->drupalLogin($this->drupalCreateUser(array('administer users')));
+
+    $this->deleteButtonMissing();
+    $this->directLinkDisabled();
+    $this->massDeleteHandling();
+  }
+
+  /**
+   * Small unit-test to check the user_delete() function.
+   */
+  function testDeleteRootAdminPHP() {
+    user_delete(NULL, 1);
+    $this->assertTrue(user_load(1), t('user_delete() should not allow Deletion of user #1'));
+  }
+
+  /**
+   * Try logging in as root administrator
+   *
+   * @todo find a better way when possible! 
+   */
+  function rootAdminLogin() {
+    $password = user_password();
+    $username = $this->randomName();
+
+    require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
+    db_update('users')
+      ->fields(array('name' => $username, 'pass' => user_hash_password($password)))
+      ->condition('uid', 1)
+      ->execute(); 
+
+    $root_user = user_load(1);
+    $root_user->pass_raw = $password;
+
+    $this->drupalLogin($root_user);
+  }
+}
+
 class UserPictureTestCase extends DrupalWebTestCase {
   protected $user;
   protected $_directory_test;