[development] using UID 1 (was Re: Overriding node_db_rewrite_sql())

Earnie Boyd earnie at users.sourceforge.net
Fri Jul 27 11:54:53 UTC 2007



Quoting Peter Wolanin <pwolanin at gmail.com>:

> However, it also allows novice admins to lock themselves out of
> permissions like "administer access control"...
>

We can do that with the current implementation. ;)

> -Peter
>
> On 7/26/07, Khalid Baheyeldin <kb at 2bits.com> wrote:
>> On 7/26/07, Ken Rickard <agentrickard at gmail.com> wrote:
>> > Now this second point isn't relevant to the entire Drupal community,
>> obviously, but it also makes a case for replacing the special user 1
>> entirely with a default 'administrative user' role that is assigned to user
>> 1 and can then be assigned to other users.
>>
>> I think creating an admin role, giving it all permissions (programmatically,
>> not via teh checkboxes), then assigning user 1 to that role is the way to go
>> for core Drupal.
>>
>> It allows users to be granted/revoked admin privileges dynamically.
>>

While I advocate the idea of a predefined admin role that can be 
deactivated; I do not advocate removing the special privilege of user 
id 1.  Given the case that it might be possible for someone to modify 
the database and give themselves admin role by simple update this could 
open a can of security issues you do not want.  I had created an admin 
role at one sight where the DB is mostly open (i.e. admin priv is 
insecure) and this actually happened once.  I quickly deleted the role 
once I discovered what had happened.

Earnie


More information about the development mailing list