By kristiaanvandeneynde on
Change record status: 
Published (View all published change records)
Project: 
Drupal core
Introduced in branch: 
10.3.x
Introduced in version: 
10.3.0
Issue links: 
https://www.drupal.org/node/540008
Description: 

Since #3376846: Implement the new access policy API was committed, user 1's special privileges are now part of the SuperUserAccessPolicy, which can be turned off. From Drupal 10.3.0 onwards, you can toggle this behavior in your site's services.yml file by setting security.enable_super_user to false.

For example:

parameters:
  # Toggles the super user access policy. If your website has at least one user
  # with the Administrator role, it is advised to set this to false. This allows
  # you to make user 1 a regular user, strengthening the security of your site.
  security.enable_super_user: false

If you get locked out of your site, then changing the parameter back to true will make user 1 a super user again.

After changing the parameter the container must be rebuilt. Rebuilding the caches using the user interface, Drush or visiting core/rebuild.php can do this.

Tests

Core Browser, Kernel and Nightwatch tests now run with the super user access policy turned off.

Browser, Kernel and Nightwatch tests in contrib still run with the access policy turned on. If you want your tests to opt out of the access policy, you need to set the $usesSuperUserAccessPolicy property to FALSE:

  /**
   * {@inheritdoc}
   */
  protected bool $usesSuperUserAccessPolicy = TRUE;

Because user 1 was allowed to do everything, tests were succeeding even though they shouldn't have. Many tests were not handing out the permissions any other user would need to succeed.

Tests now have to define the permissions a user account needs in order to succeed. All core tests that were in violation of this principle have been/are being fixed, see: #3437620: [Meta] Fix all tests that rely on UID1's super user behavior. This will not affect any existing tests in contrib even if they are not properly assigning the required permissions. For that to work, you need to set the boolean $usesSuperUserAccessPolicy as described above.

You can fix your tests by assigning the right permissions to the test users in the test set up. If you were specifically testing for user 1 behavior, you should remove that code from your test suite.

The final goal is to completely remove the super user access policy. More on that here: #3438901: [Meta] Plan for deprecating and eventually removing the super user access policy

Impacts: 
Site builders, administrators, editors
Module developers
Site templates, recipes and distribution developers

Comments

rares petru samartean’s picture

rares petru samartean commented

If your website has at least one user
# with the Administrator role...

This is quite misleading. This does nothing if the user uid 1 has the Administrator role.
What this setting does is: if the user uid 1 does not have the Administrator role, it's no longer granted all permissions as it usually is, as I understand from the Drupal site.
Related: https://www.drupal.org/project/drupal/issues/3485663
If uid 1 has an administrator role this setting does nothing.
I appreciate the change though, this is useful.