[support] use uid1 or not Re: How to create "index" pages of content

Shai Gluskin shai at content2zero.com
Mon Dec 10 03:00:09 UTC 2007 

Greg and all,

Thanks for changing the topic.

My main reason was touched on briefly in the handbook node. But I'll
elaborate.

Users are people. Users can then get assigned to none, one or more roles.
But what is weird/unique to user/1 is that it is essentially a role, not a
person. It's a role with unique properties which no other user can be
assigned. So what do you do when you want to rotate or share the
privileges/responsibilites that user/1 posesses. Typically person->user is a
one-one relationship. (more precisely it's e-mail -> user).

It's better for no person to be user/1 but rather that the privileges/log-in
info should be available to the person or persons at any given time who need
to have superadmin access (e.g. the person or persons in charge of software
updates).

Normally there isn't a use case for a user changing user ids; there is a use
case for people migrating in/out of having access to superadmin privileges.

To concretize it, here is a simple example. A guy starts a business, in his
spare time; he's the only employee. He figures out Drupal and launches his
site as user/1. The site turns out to be very successful and grows the
business. The founder has created a large volume of content for the site as
user/1. But now the guy has employees. His site has also grown in complexity
and someone else is administering it. He's in the awkward situation of
having to give his employee who administers the site access to his user
account in order for the employee to administer the site. And it's not a
trivial matter to migrate all his content to another user.

Shai

On 12/9/07, Greg Knaddison <greg at pingvox.com> wrote:
>
> This is slightly off-topic from the original post so I'm changing the
> subject.
>
> On Dec 9, 2007 6:30 PM, Shai Gluskin <shai at content2zero.com> wrote:
> > Here is the handbook page that describes why not using user/1 for
> day-to-day
> > is a best practice:
> >
> > http://drupal.org/node/22284
> >
>
> I don't think the conclusion you've drawn is really reflected in the
> meat of the page.  That's especially true if you use an account that
> is granted a role that has all permissions on a site - that account is
> just as vulnerable to most of the security problems listed on that
> page.
>
> The only thing that the "user 2 with all privileges" setup gets you is
> a small amount of protection on security holes/actions in the
> update.php file.  But if you have a "user 2 with all privileges" then
> that person probably has access to php input format and can do a lot
> of damage to your site (which is worth a reminder: if you don't need
> it then disable the php input format).
>
> Regards,
> Greg
>
> --
> Greg Knaddison
> Denver, CO | http://knaddison.com
> World Spanish Tour | http://wanderlusting.org/user/greg
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20071209/a5e2bcaf/attachment.htm

More information about the support mailing list