Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By kristiaanvandeneynde on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
10.3.x
Introduced in version:
10.3.0
Issue links:
Description:
Since #3376846: Implement the new access policy API was committed, user 1's special privileges are now part of the SuperUserAccessPolicy, which can be turned off. From Drupal 10.3.0 onwards, you can toggle this behavior in your default.services.yml file by setting security.enable_super_user to false.
For example:
parameters:
# Toggles the super user access policy. If your website has at least one user
# with the Administrator role, it is advised to set this to false. This allows
# you to make user 1 a regular user, strengthening the security of your site.
security.enable_super_user: false
Tests
Core Browser, Kernel and Nightwatch tests now run with the super user access policy turned off.
Browser, Kernel and Nightwatch tests in contrib still run with the access policy turned on. If you want your tests to opt out of the access policy, you need to set the $usesSuperUserAccessPolicy property to FALSE:
/**
* {@inheritdoc}
*/
protected bool $usesSuperUserAccessPolicy = TRUE;
Because user 1 was allowed to do everything, tests were succeeding even though they shouldn't have. Many tests were not handing out the permissions any other user would need to succeed.
Tests now have to define the permissions a user account needs in order to succeed. All core tests that were in violation of this principle have been/are being fixed, see: #3437620: [Meta] Fix all tests that rely on UID1's super user behavior. This will not affect any existing tests in contrib even if they are not properly assigning the required permissions. For that to work, you need to set the boolean $usesSuperUserAccessPolicy as described above.
You can fix your tests by assigning the right permissions to the test users in the test set up. If you were specifically testing for user 1 behavior, you should remove that code from your test suite.
The final goal is to completely remove the super user access policy. More on that here: #3438901: [Meta] Plan for deprecating and eventually removing the super user access policy
Impacts:
Site builders, administrators, editors
Module developers
Distribution developers
