Problem/Motivation

In #540008: Add a container parameter that can remove the special behavior of UID#1 an approach was taken where we can simply flag tests that are failing if we turn off user 1's super user powers, so that they can be taken care of in a followup. This issue is to collect all of these followups.

The goal is to have no tests in Drupal core that rely on UID1's special privileges so that we:

  1. Know these tests are correctly assigning the necessary permissions to run
  2. Can turn off the super user access policy in D11, knowing it won't break core
  3. Can remove the super user access policy in D12, providing an admin account recovery tool to replace it

Steps to reproduce

Go into any of the tests flagged with:

  /**
   * {@inheritdoc}
   *
   * @todo Remove and fix test to not rely on super user.
   * @see https://www.drupal.org/project/drupal/issues/3437620
   */

And:

  1. Remove the code below that sets the usesSuperUserAccessPolicy to TRUE.
  2. Run the test to see which test methods are failing

Proposed resolution

Assign the right permissions to make the test go green without the super user access policy. Those few tests that specifically test said policy can obviously stay, but will be removed along with the policy in D12.

Remaining tasks

  • core/modules/migrate_drupal_ui/tests/src/
    • Functional/MigrateControllerTest.php

Issue fork drupal-3439901

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

vensires created an issue. See original summary.

quietone’s picture

quietone commented
Related issues: +#3420021: Permission to access upgrade paths should not be validated only against the user id 1

Migrate UI was designed to be only available for the administrator, uid = 1. And there is no special permission for it. See '\Drupal\migrate_drupal_ui\MigrateAccessCheck::checkAccess(). And this year an issue has been opened to change that.

sukr_s made their first commit to this issue’s fork.

sukr_s opened merge request !7664

sukr_s’s picture

sukr_s commented

Tests are failing since the batch fails to load due to sudden change in CSRF token. Not sure though why the token changes during the batch process

sukr_s closed merge request !7664

mikelutz’s picture

mikelutz
He/Him
Primary language English
Location Michigan, USA
commented

I think we can close this. Migrate Drupal UI is a special case where we really do need to check against uid 1. D7 sites being migrated from effectively have a super user access policy, so it doesn't make sense to have it disabled in d11 in the context of migrate.

With migrate Drupal slated for deprecation and removal by d12, this should be fine to leave.

mikelutz’s picture

mikelutz
He/Him
Primary language English
Location Michigan, USA
commented
Status: Active » Closed (won't fix)

Talked with @catch, we are going to leave these alone as they will be gone before d12 anyway.