Hi,
sorry but i cant get this to work. i tried all and looked up all issues before this post.
- installed this module on a clean drupal 7.9 installation.
- created a role "editor" and created a user "test" with the role editor.
- gave the role editor the permission "Administer users" (at admin/people/permissions)
- at admin/config/people/userprotect I checked some checkboxes for my admin-account (uid 1) (checked username and password)
- logged in with the test user (with another browser)
- went to "user/1/edit"
- all fields are available and could be changed
i also tried to check some checkboxes for adminstrator on "roles protected" tab (admin/config/people/userprotect/protected_roles).
can anybody reproduce or am i too stupid?
Comment | File | Size | Author |
---|---|---|---|
#8 | userprotect-admin-defaults-1356452-8.patch | 2.82 KB | MegaChriz |
#2 | pippo localhost.png | 96.27 KB | CarloB |
#2 | User protect localhost.png | 57.28 KB | CarloB |
#2 | Modules1_5 localhost.png | 91.7 KB | CarloB |
#2 | Modules2_5 localhost.png | 100.45 KB | CarloB |
Comments
Comment #1
CarloB CreditAttribution: CarloB commentedHi,
I have the same problem and I don't know what's going wrong.
CLEAN 7.9 drupal installation with only USER PROTECT module loaded.
After installing user protecte module I create user PIPPO (lowercase) with some restriction but ... I'm still able to change what I restricted.
Here some print screen in order to see if I'm doing something wrong.
If there is something I can do in order to help you investigating this problem please let me know.
P.S. I cleaned the cache twice (when I changed some user protection) to see if something happen but no result ...
ThaX in advance for any help
Carlo
Comment #2
CarloB CreditAttribution: CarloB commentedSorry I forgot some printscreens . . .
Comment #3
rooby CreditAttribution: rooby commentedI have the same problem: I have a user Paul who has administer users permission and userprotect is set to default settings (which would ususlly work) and Paul can still edit user 1 and change anything.
However, I don't understand how over 600 sites are using this version and there aren't more people in this issue. Maybe there is something unusual with our install?
Comment #4
drasgardian CreditAttribution: drasgardian commentedBy default, users with the administer users permission will be able to bypass the protection.
You will need to untick the Administrator bypass defaults
Comment #5
rooby CreditAttribution: rooby commentedI worked out what my problem was.
On the protection defaults tab of the settings (admin/config/people/userprotect/protection_defaults) by default all the 'Administrator bypass defaults' are checked. You need to uncheck them all.
The default for this setting seems crazy to me.
You have to have the administer users permission to edit users in the first place, and these defaults mean anyone with administer users can bypass the protection.
That means by default, anyone that has permissions to edit users also has bypass of user protect.
Sorry - I should have ready the instructions (I have read them before but that was a long time ago now) - But has this always been the case in drupal 6 as well. Or have the defaults been changed at some point?
Comment #6
hefox CreditAttribution: hefox commentedMisconfiguration of a modules isn't really a bug, though indicates there is likely a bad site building expierence that could use improvement, so changing the ticket to reflect what the ticket is about.
Not the maintainer, just evaluating the module for use and saw this rather scarily titled issue.
Comment #6.0
hefox CreditAttribution: hefox commentedsome changes
Comment #7
MegaChriz CreditAttribution: MegaChriz commentedI also find this default setting strange. The reason behind this is probably that no access rights for user administrators should be changed upon initial installation of the module, as said in #145019-1: failing user protection. I've checked the history of userprotect and this default has not always been there. In the first few days of the module the default was no bypass. This intentionally changed soon to all bypass, though this only started working since #516206: userprotect_administrator_bypass_defaults() should return keyed array was fixed.
The defaults are documented:
But because of the huge amount of text, this is easily overlooked as reported in #1279756: Improve/highlight important parts of documentation.
The question is: what should the default be? No administrator bypass at all? Seems reasonable by me, since all protection rules that are created by default apply to user 1.
Comment #8
MegaChriz CreditAttribution: MegaChriz commentedAs I think the administrator bypass defaults is a major struggle for new users, I went ahead and just set the defaults to no bypass at all. To compromise user administrators from being suddenly no longer able to edit user 1 after enabling User protect module, I also changed the default protections for user 1. Now user 1 only is protected from cancellation upon installing the module. This default only affects new installations, not existing ones.
Comment #10
MegaChriz CreditAttribution: MegaChriz commentedCommitted #8.
Comment #11
rooby CreditAttribution: rooby commentedYay, I think this is a great change.