Change the default settings of 'Administrator bypass defaults'

Hi,
I have the same problem and I don't know what's going wrong.
CLEAN 7.9 drupal installation with only USER PROTECT module loaded.

After installing user protecte module I create user PIPPO (lowercase) with some restriction but ... I'm still able to change what I restricted.

Here some print screen in order to see if I'm doing something wrong.

If there is something I can do in order to help you investigating this problem please let me know.

P.S. I cleaned the cache twice (when I changed some user protection) to see if something happen but no result ...

ThaX in advance for any help
Carlo

Sorry I forgot some printscreens . . .

I have the same problem: I have a user Paul who has administer users permission and userprotect is set to default settings (which would ususlly work) and Paul can still edit user 1 and change anything.

However, I don't understand how over 600 sites are using this version and there aren't more people in this issue. Maybe there is something unusual with our install?

By default, users with the administer users permission will be able to bypass the protection.

You will need to untick the Administrator bypass defaults

I worked out what my problem was.

On the protection defaults tab of the settings (admin/config/people/userprotect/protection_defaults) by default all the 'Administrator bypass defaults' are checked. You need to uncheck them all.

The default for this setting seems crazy to me.
You have to have the administer users permission to edit users in the first place, and these defaults mean anyone with administer users can bypass the protection.

That means by default, anyone that has permissions to edit users also has bypass of user protect.

Sorry - I should have ready the instructions (I have read them before but that was a long time ago now) - But has this always been the case in drupal 6 as well. Or have the defaults been changed at some point?

Misconfiguration of a modules isn't really a bug, though indicates there is likely a bad site building expierence that could use improvement, so changing the ticket to reflect what the ticket is about.

Not the maintainer, just evaluating the module for use and saw this rather scarily titled issue.

some changes

I also find this default setting strange. The reason behind this is probably that no access rights for user administrators should be changed upon initial installation of the module, as said in #145019-1: failing user protection. I've checked the history of userprotect and this default has not always been there. In the first few days of the module the default was no bypass. This intentionally changed soon to all bypass, though this only started working since #516206: userprotect_administrator_bypass_defaults() should return keyed array was fixed.

The defaults are documented:

When the module is initially enabled, the default settings are such:

• User administrators bypass all protections.

But because of the huge amount of text, this is easily overlooked as reported in #1279756: Improve/highlight important parts of documentation.

The question is: what should the default be? No administrator bypass at all? Seems reasonable by me, since all protection rules that are created by default apply to user 1.

As I think the administrator bypass defaults is a major struggle for new users, I went ahead and just set the defaults to no bypass at all. To compromise user administrators from being suddenly no longer able to edit user 1 after enabling User protect module, I also changed the default protections for user 1. Now user 1 only is protected from cancellation upon installing the module. This default only affects new installations, not existing ones.

Committed #8.

Yay, I think this is a great change.