Problem/Motivation

The configuration form at /admin/config/people/user-expire presents inactivity expiration as role-based, and the docs say to enter 0 for roles whose users should not expire.

That is misleading when authenticated is configured.

In Drupal, authenticated applies to all logged-in users, including users with more specific roles like administrator. This behavior appears to have been introduced intentionally in the 2015 issue Expire users in the authenticated user role (#2598452) so that authenticated would apply to all logged-in users rather than relying on role table membership.

In user_expire, a rule like this:

  • authenticated = 7776000 (90 days)
  • administrator = 0

still expires administrator accounts after 90 days of inactivity. Setting administrator to 0 does not override or exclude the authenticated rule.

This may be working as designed, but the current UI/help text makes it easy to assume that role settings are independent and that 0 on a more specific role creates an exemption.

Steps to reproduce

  1. Enable user_expire.
  2. Go to /admin/config/people/user-expire.
  3. Configure:
  • authenticated = 7776000
  • administrator = 0
  1. Use an administrator account whose last access time is older than 90 days.
  2. Run cron / expiration processing.

Actual result

The administrator account is expired.

Expected result

At minimum, the UI and documentation should clearly explain that:

  • authenticated applies to all logged-in users, including administrators.
  • Setting another role to 0 does not exclude those users from the authenticated rule.

Proposed resolution

Clarify the form help text and docs, especially around the authenticated role. For example:

Authenticated applies to all logged-in users, including users with additional roles such as Administrator. Setting another role to 0 does not exclude those users from the Authenticated inactivity rule.

It may also help to show a validation warning when authenticated > 0 and another role is set to 0, since that combination is easy to misinterpret.

A stronger UI option might be to hide or disable all other role-specific inactivity fields whenever authenticated has a non-zero value, since that rule applies to all logged-in users and the remaining role fields may otherwise imply override behavior that does not exist.

Issue fork user_expire-3587307

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

berliner created an issue. See original summary.

berliner opened merge request !46

berliner’s picture

berliner commented
Status: Active » Needs review

I have created MR46 for my preferred option:

A stronger UI option might be to hide or disable all other role-specific inactivity fields whenever authenticated has a non-zero value, since that rule applies to all logged-in users and the remaining role fields may otherwise imply override behavior that does not exist.