I have three roles: administrator/maintainer/authenticated user
There is only one user in the role called administrator, and that user is called admin.
I log in as a user with the role maintainer.
example.com/admin/people
click on "edit" for user "admin"
I get the following message that I would expect:
"admin has been protected from the following editing operations: username, e-mail, status, roles, cancel"
If I click on the "password" tab, I can then change the password for user "admin". There is no warning message and the system doesn't stop me.
Can anyone suggest what I'm doing wrong?
configuration as follows:
in PROTECTED USERS:
admin: user, email, password, status, roles, cancel are all checked
there are no other protected users
in PROTECTED BY ROLE:
administrator: user, email, password, status, roles, cancel are all checked
nothing is checked for other roles
in ADMINISTRATOR BYPASS:
admin has all items checked.
no other user has been added
in PROTECTION DEFAULTS:
only status and cancel in User protection defaults are checked
nothing else is checked
in PERMISSIONS:
maintainer cannot administer permissions, but can do all other user functions
Comment | File | Size | Author |
---|---|---|---|
#3 | davidjmcq_userprotect.png | 85 KB | davidjmcq |
Comments
Comment #2
MegaChriz CreditAttribution: MegaChriz as a volunteer commentedThanks for the detailed information about your configuration.
I see nothing wrong about your configuration. I tested your configuration on my local install, logged in as an user with "administer users" permission and wasn't able to edit the password of the user 1 account.
Since you talk about password tab instead of field, do you have the password fields on a different page, instead of the user account edit page (user/x/edit)? User protect only protects the password field on that page, not other pages. Drupal 7 doesn't have an unified system for checking field access, so protecting fields can only be done by altering specific forms. If the password field is on a different form, User protect can not protect the field there since it doesn't know about the existence of that form.
Comment #3
davidjmcq CreditAttribution: davidjmcq commentedThanks for your prompt reply!
I've got three Drupal 7 sites, and all of them have password editing on a separate tab:
example.com/user/1/edit
example.com/user/1/password
I can't find anywhere to change this behaviour. I've attached a screenshot
Comment #4
davidjmcq CreditAttribution: davidjmcq commentedAnswering my own question:
Password Policy module 7.1 is installed on my system, and it includes a separate password tab module. All I had to do was disable the Password Tab part of the Password Policy module.
Comment #5
MegaChriz CreditAttribution: MegaChriz as a volunteer commentedOkay, I assume this issue is fixed then. :)
Besides Password Policy, I saw that there are more modules that put the password field on a separate page:
https://www.drupal.org/project/password_tab
https://www.drupal.org/project/change_pwd_page