Greg and all,<br><br>Thanks for changing the topic.<br><br>My main reason was touched on briefly in the handbook node. But I'll elaborate.<br><br>Users are people. Users can then get assigned to none, one or more roles. But what is weird/unique to user/1 is that it is essentially a role, not a person. It's a role with unique properties which no other user can be assigned. So what do you do when you want to rotate or share the privileges/responsibilites that user/1 posesses. Typically person->user is a one-one relationship. (more precisely it's e-mail -> user).
<br><br>It's better for no person to be user/1 but rather that the privileges/log-in info should be available to the person or persons at any given time who need to have superadmin access (e.g. the person or persons in charge of software updates).
<br><br>Normally there isn't a use case for a user changing user ids; there is a use case for people migrating in/out of having access to superadmin privileges.<br><br>To concretize it, here is a simple example. A guy starts a business, in his spare time; he's the only employee. He figures out Drupal and launches his site as user/1. The site turns out to be very successful and grows the business. The founder has created a large volume of content for the site as user/1. But now the guy has employees. His site has also grown in complexity and someone else is administering it. He's in the awkward situation of having to give his employee who administers the site access to his user account in order for the employee to administer the site. And it's not a trivial matter to migrate all his content to another user.
<br><br>Shai<br><br><div><span class="gmail_quote">On 12/9/07, <b class="gmail_sendername">Greg Knaddison</b> <<a href="mailto:greg@pingvox.com">greg@pingvox.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
This is slightly off-topic from the original post so I'm changing the subject.<br><br>On Dec 9, 2007 6:30 PM, Shai Gluskin <<a href="mailto:shai@content2zero.com">shai@content2zero.com</a>> wrote:<br>> Here is the handbook page that describes why not using user/1 for day-to-day
<br>> is a best practice:<br>><br>> <a href="http://drupal.org/node/22284">http://drupal.org/node/22284</a><br>><br><br>I don't think the conclusion you've drawn is really reflected in the<br>meat of the page. That's especially true if you use an account that
<br>is granted a role that has all permissions on a site - that account is<br>just as vulnerable to most of the security problems listed on that<br>page.<br><br>The only thing that the "user 2 with all privileges" setup gets you is
<br>a small amount of protection on security holes/actions in the<br>update.php file. But if you have a "user 2 with all privileges" then<br>that person probably has access to php input format and can do a lot<br>
of damage to your site (which is worth a reminder: if you don't need<br>it then disable the php input format).<br><br>Regards,<br>Greg<br><br>--<br>Greg Knaddison<br>Denver, CO | <a href="http://knaddison.com">http://knaddison.com
</a><br>World Spanish Tour | <a href="http://wanderlusting.org/user/greg">http://wanderlusting.org/user/greg</a><br>--<br>[ Drupal support list | <a href="http://lists.drupal.org/">http://lists.drupal.org/</a> ]<br></blockquote>
</div><br>