Index: modules/user/user.module =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.module,v retrieving revision 1.973 diff -u -p -r1.973 user.module --- modules/user/user.module 1 Apr 2009 20:00:47 -0000 1.973 +++ modules/user/user.module 11 Apr 2009 06:13:19 -0000 @@ -2321,6 +2321,10 @@ function user_multiple_cancel_confirm_su if ($form_state['values']['confirm']) { foreach ($form_state['values']['accounts'] as $uid => $value) { + // Prevent uid 1 from being deleted. + if ($uid <= 1) { + continue; + } // Prevent user administrators from deleting themselves without confirmation. if ($uid == $user->uid) { $admin_form_state = $form_state; Index: modules/user/user.pages.inc =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.pages.inc,v retrieving revision 1.32 diff -u -p -r1.32 user.pages.inc --- modules/user/user.pages.inc 26 Mar 2009 13:31:28 -0000 1.32 +++ modules/user/user.pages.inc 11 Apr 2009 06:13:19 -0000 @@ -249,7 +249,7 @@ function user_profile_form($form_state, $form['_category'] = array('#type' => 'value', '#value' => $category); $form['_account'] = array('#type' => 'value', '#value' => $account); $form['submit'] = array('#type' => 'submit', '#value' => t('Save'), '#weight' => 30); - if (($account->uid == $user->uid && user_access('cancel account')) || user_access('administer users')) { + if ((($account->uid == $user->uid && user_access('cancel account')) || user_access('administer users')) && $account->uid > 1) { $form['cancel'] = array( '#type' => 'submit', '#value' => t('Cancel account'), Index: modules/user/user.test =================================================================== RCS file: /cvs/drupal/drupal/modules/user/user.test,v retrieving revision 1.33 diff -u -p -r1.33 user.test --- modules/user/user.test 31 Mar 2009 01:49:55 -0000 1.33 +++ modules/user/user.test 11 Apr 2009 06:13:20 -0000 @@ -178,12 +178,12 @@ class UserCancelTestCase extends DrupalW // Attempt to cancel account. $this->drupalGet('user/' . $account->uid . '/edit'); - $this->assertNoRaw(t('Cancel account'), t('No cancel account button displayed.')); + $this->assertNoRaw(t('Cancel account'), t('Cancel account button is hidden if user does not have sufficient permission.')); // Attempt bogus account cancellation request confirmation. $timestamp = $account->login; $this->drupalGet("user/$account->uid/cancel/confirm/$timestamp/" . user_pass_rehash($account->pass, $timestamp, $account->login)); - $this->assertResponse(403, t('Bogus cancelling request rejected.')); + $this->assertResponse(403, t('Bogus account cancellation request was rejected.')); $account = user_load($account->uid); $this->assertTrue($account->status == 1, t('User account was not canceled.')); @@ -234,6 +234,24 @@ class UserCancelTestCase extends DrupalW } /** + * Test for protection of user account #1 while logged as uid1. + * This should never be possible, for obvious reasons. + */ + function testUserCancelUser1() { + variable_set('user_cancel_method', 'user_cancel_uid1_prevent'); + // Fetch the uid1 account and and log them in. + $user1 = $this->drupalCreateUser(); + $this->drupalLogin($user1); + $user1 = user_load(1, TRUE); + // Make sure the Cancel Account button does not show up on user/1/edit form. + $this->drupalGet('user/' . $user1->uid . '/edit'); + $this->assertNoRaw(t('Cancel account'), t('Cancel account button is always hidden for user #1.')); + // Make sure the Edit checkbox does not show up on the admin/user page. + //$this->drupalGet('admin/user/user'); + //$this->assertNoFieldByID('edit-accounts-1', $value, t('The Update checkbox for uid1 on the admin/user page does not appear.')); + } + + /** * Disable account and keep all content. */ function testUserBlock() {