This module allows user 1 to be deleted via an HTTP request.

You can see this by:
1. Enabling the module
2. As a user with "administer users" permission send the following HTTP request:

curl [auth] -X DELETE http://farm.local/user/1

This results in user 1 being deleted from the system.

(Note that this does not include steps for authentication (eg: the [auth] part of the curl example above). There are various ways to do this with the RESTful Web Services module, but that does not affect this issue. However, the steps to reproduce above omit the authentication part for simplicity.)

Drupal core provides two ways to delete (aka Cancel) user accounts: by editing the account and clicking the "Cancel account" button at the bottom, and by using the "Cancel selected accounts" action in /admin/people.

Both of these Drupal core mechanisms are prevented from being used on user 1.

In the case of the "Cancel account" button, the button is not shown at all when editing user 1's account. In the case of the "Cancel selected users" action, there is code in the action callback that prevents acting on user 1: https://cgit.drupalcode.org/drupal/tree/modules/user/user.module?h=7.x#n...

This is mitigated by the fact that the user needs the "administer users" permission, which already gives them a lot of power. However, this module allows them to delete user 1, which they are not able to do in Drupal core alone.

Comments

m.stenta created an issue. See original summary.

m.stenta’s picture

m.stenta
he/him
Primary language English
commented

Note: This was deemed to be not a security issue by the Drupal security team.

lokapujya’s picture

lokapujya
Primary language English
Location Boston
commented
Priority: Major » Minor

Doesn't do not inhibit the functionality of REST as it would normally be used.