This module allows fine-grained access control of user administrators, by providing various editing protection for users. The protections can be specific to a user, or applied to all users in a role.
Note: Up until the D7 version, User Protect has a complicated configuration -- please take the time to read the very extensive module help before using it!
The following protections are supported:
- E-mail address
- Edit operation (user/X/edit)
- Delete operation (user/X/delete or user/X/cancel)
Additionally, the following protections are supported in 7.x-1.x and earlier:
- OpenID identities
How it works
There are two types of protection rules:
User based protection rules
These apply to a single user.
Role based protection rules
These apply to all users that have that role.
A protection rule prevents any user to perform the selected editing operations (such as changing password or changing mail address) on the specified user. There are two exceptions in which a configured protection rule does not apply:
The logged in user has permission to bypass the protection rule.
In Drupal 8, this can be configured with an user permission. In Drupal 7, by adding a bypass rule at /admin/config/people/userprotect/administrator_bypass (for one specific user) or by changing the "Administrator bypass defaults" at /admin/config/people/userprotect/protection_defaults (for all users, except the ones for which a bypass rule exists).
The specified user is the current logged in user.
Protection rules don't count for the user itself. Instead, there are permissions available to prevent an user from editing its own account, username, e-mail address or password.
Protected fields will be disabled or hidden on the form at user/X/edit. The edit and delete operations are protected by controlling access on the paths user/X/edit and user/X/delete.
The protections also apply on bulk operations provided by Drupal core and (for Drupal 7 only) on bulk operations provided by Views Bulk Operations. For the Drupal 6 version, bulk operations provided by Views Bulk Operations are not protected. There is an issue open to fix this: .
The module is compatible with the following modules:
For compatibility with the Role Delegation module, there is an issue: .
See https://drupal.org/node/980082 for a comparison of user edit protection modules.
- Maintenance status: Actively maintained
- Development status: Maintenance fixes only
- Module categories: User Management
- Reported installs: 10,063 sites currently report using this module. View usage statistics.
- Downloads: 71,021
- Automated tests: Enabled
- Last modified: March 5, 2015
- Stable releases receive coverage from the Drupal Security Team.
Look for the shield icon below.