Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Drupal 8 automatically assigns all permissions to the administrator role. The "Bypass password policies" permission is automatically applied to administrators, but the policy form still allows the administrator role to be selected.
I am proposing an additional check that...
1. Checks if the administrator role applies to the form
2. Checks if there are any administrator policies
3. Adds an additional condition to the "bypass password policies" check to verify points 1 and 2 for admin role only
Comments
Comment #2
nerdsteinAssigning to myself to develop a patch
Comment #3
nerdsteinComment #4
nerdsteinSee https://www.drupal.org/node/2773647 for another example of where we need to explore permissions. This might include a new Bypass Password Reset permission.
Comment #5
mroycroft CreditAttribution: mroycroft at Workday, Inc. commentedI'm a bit hesitant to add a new permission, and suspect of the original
bypass password policiespermission. It seems the solution for the bypass policies permission is to configure policies to not capture that role. It makes the configuration less meaningful if there is a permission that contradicts the policy configuration, and harder to solve problems such as identifying when password policy validation should occur.There is valid a use case to allow users with (a new) permission to edit other user profiles without password policy validation running: https://www.drupal.org/node/2786315. The original proposed solution seems appropriate, but also removing the bypass password policy permission is probably for the best. Let me know your thoughts, thanks.
Comment #6
mikebrooks CreditAttribution: mikebrooks at SNP Technologies, Inc. commentedI agree with mroycroft that removal of the "Bypass password policies" is best.
In our use case, we have three users having the Administrator role. We want to enforce the password policy for this role, but the "Bypass password policies" permission for the Administrator role is selected and disabled.
Comment #7
mroycroft CreditAttribution: mroycroft at Workday, Inc. commentedThis issue should be resolved by #2849271: Decouple display of policy table and policy validation. It made sense to handle it there since that ticket was also addressing issues with when password policy validation should occur.
Comment #8
daggerhart CreditAttribution: daggerhart commentedI'm in complete agreement for the removal of this permission. For a role to "bypass" password policy, it should just not have a password policy. Seems unnecessary and error prone to have a permission which basically means "ignore this module". This issue is further compounded by the User 1 always having all permissions, so user 1 will always bypass password policy.
I don't necessarily agree that this should be done in #2849271: Decouple display of policy table and policy validation. It does seem mildly convenient for that patch, but the issue isn't related to the permission enough directly. I think it'd be better to do the work in a dedicated issue such as this one: #2862906: Remove "bypass password policies" permission
Comment #9
Kristen PolThanks to everyone for the work on this issue.
I'm going through all the 8.x issues.
Since #2862906: Remove "bypass password policies" permission has been fixed, closing this as duplicate per #8.