Problem/Motivation

It is now possible to make UID 1 a normal user: https://www.drupal.org/node/2910500
In that scenario, it is not useful to block UID 1 user.

Steps to reproduce

Add this to services.yml:

parameters:
  # Toggles the super user access policy. If your website has at least one user
  # with the Administrator role, it is advised to set this to false. This allows
  # you to make user 1 a regular user, strengthening the security of your site.
  security.enable_super_user: false

Run the admin_user security check.

Proposed resolution

The admin_user check should pass if security.enable_super_user is set to false.

Issue fork security_review-3442664

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

smustgrave made their first commit to this issue’s fork.

smustgrave opened merge request !66

smustgrave’s picture

smustgrave commented
Status: Active » Needs review

Maybe this?

smustgrave closed merge request !66

smustgrave’s picture

smustgrave commented
Status: Needs review » Fixed

Will include with next release.

smustgrave’s picture

smustgrave commented

  • smustgrave committed 371f16db on 3.0.x 
    Issue #3442664 by prudloff: Skip admin_user check if "security....

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.