Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The protections applied to a user on the user protection settings don't work. However, in the permissions for User Protect module, by default authenticated users are allowed to change username, email and password. Those if disabled disables the permissions to the role not the users. I don't think doing that was the idea behind this module. The effect of the settings on the user protection don't work at all.
Comments
Comment #1
dreizwo CreditAttribution: dreizwo commentedSame Problem. A user has explizit editing permission @see comments in userprotect.module line 797 following.
AND line 811
// Always let user access their own edit page.
This will be ok, if permission has been denied for a role. But in my opinion, the settings of user protect have to be analysed addtionaly.
The quick way is to uncomment the lines 801-815 (ONLY the userprotect settings will be analysed).
Moving the code of these line at the bottom of the function will FRIST check userprotect settings and at least the core-handles.
Comment #2
GrahamShepherd CreditAttribution: GrahamShepherd commentedI am using this module in conjunction with IP Login (https://drupal.org/project/ip_login) as a means of preventing all but the owner of the account from viewing and editing tha account details, especially username, email and password. The IP Login module automatically logs in any user within specified IP ranges for the account owner. The Ip Login module does not provide any protections in itself but could when used in conjunction with this module provided that the issue raised here is dealt with. May I request that the User Protect module include a configurable setting which will deal with this?
Comment #3
MegaChriz CreditAttribution: MegaChriz commentedProtection rules for a specific user don't count for the user itself. To prevent an user for editing its own account, you can uncheck the following permissions for authenticated users on the permissions page:
That way an user who is just an authenticated user can not edit its username, mail address and password nor cancel its own account. If some users should be able to edit these properties (for their own account), you should assign these permissions for another role and give these users that role.
A feature to prevent an account from being viewed is not provided by this module.
A feature to prevent an user from editing its own account is requested in #1172518: Users should NOT always be able to access their own edit page. Also, this feature will be added to the Drupal 8 version of User protect.