[development] using UID 1 (was Re: Overriding node_db_rewrite_sql())
Earnie Boyd
earnie at users.sourceforge.net
Fri Jul 27 11:54:53 UTC 2007
Quoting Peter Wolanin <pwolanin at gmail.com>:
> However, it also allows novice admins to lock themselves out of
> permissions like "administer access control"...
>
We can do that with the current implementation. ;)
> -Peter
>
> On 7/26/07, Khalid Baheyeldin <kb at 2bits.com> wrote:
>> On 7/26/07, Ken Rickard <agentrickard at gmail.com> wrote:
>> > Now this second point isn't relevant to the entire Drupal community,
>> obviously, but it also makes a case for replacing the special user 1
>> entirely with a default 'administrative user' role that is assigned to user
>> 1 and can then be assigned to other users.
>>
>> I think creating an admin role, giving it all permissions (programmatically,
>> not via teh checkboxes), then assigning user 1 to that role is the way to go
>> for core Drupal.
>>
>> It allows users to be granted/revoked admin privileges dynamically.
>>
While I advocate the idea of a predefined admin role that can be
deactivated; I do not advocate removing the special privilege of user
id 1. Given the case that it might be possible for someone to modify
the database and give themselves admin role by simple update this could
open a can of security issues you do not want. I had created an admin
role at one sight where the DB is mostly open (i.e. admin priv is
insecure) and this actually happened once. I quickly deleted the role
once I discovered what had happened.
Earnie
More information about the development
mailing list