Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Maybe I'm doing something wrong, but I can't get this module to work.
I've created the roles "Admin" and "superuser". Admins can do anything. I've granted superusers permission to administer users.
Note that I've also installed and enabled the Role Delegation module, and I've granted superusers permission to assign the "superuser" role to other users.
I've configured Role Protect with the following:
- protected users: anonymous has openid, deletion, and all account edits checked (this is the default)
- protected roles: checked every box for the Admin role
- administrator bypass: no administrator bypasses defined
- protection defaults: user protection defaults: username, email, deletion, and auto-protect new users; no administrator bypass defaults checked
The user wwinett is assigned the Admin role. The user jdoe is assigned the superuser role.
I log in as jdoe, and in testing I find that jdoe can add and remove the superuser role from wwinett. Given that I've completely protected the Admin role, and that wwinett is an Admin, I would expect that jdoe should not be able to do this.
Just for kicks, I disabled the Role Delegation module. I then again logged in as jdoe, and I was able to block and unblock wwinett. Again, I would expect that jdoe shouldn't be able to do this.
Am I misunderstanding how this module works?
Comments
Comment #1
hunmonk CreditAttribution: hunmonk commentedthe setup looks ok.
couple of things:
Comment #2
bwinett CreditAttribution: bwinett commentedWow - quick response. Thanks!
Thanks for any further help you can provide.
[edit]
I created a second site, starting from scratch. The only modules I've enabled are Administration Menu, Poormanscron, and User Protect. And User Protect works as expected! So my assumption is that there's some conflict from a related module (maybe Role Delegation, Workflow, or OG?) that remained even after I disabled and uninstalled them. I'll enable these one by one and see if this module stops working as expected.
[edit]
The plot thickens. In the new site I enable Role Delegation and give jdoe permission to assign roles. And now jdoe can do this, even to users who are admins - even though I've configured User Protect to disallow that. But - jdoe still can't block and unblock users who are admins! This is different behavior than in my first site.
And here's another behavior that seems just as strange: back on my first site, I go to User Protect, and I add protection for the user wwinett. The default protection is on username, email address, and deletion. Despite the protection on the admin role, jdoe is able to block and unblock wwinett. Now I remove the protection on the user wwinett - and jdoe is no longer allowed to block and unblock wwinett!
Maybe this is getting too confusing. Luckily, I'm just developing my sites, so I can start from scratch and make sure this module is working correctly.
Comment #3
hunmonk CreditAttribution: hunmonk commenteddefinitely sounds like a module conflict. unfortunately, i can't spend time debugging contrib module conflicts, as they can be very time intensive.
if you can point me to a specific problem in UserProtect that's caused by an improper implementation of a Drupal API, then i'm happy to fix it.
also in the future, please create new comments instead of editing an existing one -- it makes it much easier for people getting email notifications to follow the thread.
Comment #4
bwinett CreditAttribution: bwinett commentedThanks for the response. Because it's working now, I'll mark this as closed.
And thanks for letting me know about the comment editing issue. I'll create new comments in the future.
Comment #5
dddbbb CreditAttribution: dddbbb commentedbwinett: Do you have any more info on how you got this working?
I feel I have a good enough grasp on the concept and settings of this module (thanks to the excellent documentation) but also can't get it to work. My only admin user (user 1) seems to not be protected from edits/deletion at all.
I also have the role delagation module installed and enabled.
Any feedback would be appreciated as this module seems to be the most promising for the job.
Comment #6
osopolarI have the same Problem, can't protect the admin user.
Comment #7
osopolarIt's really a bit confusing. Because when you install the module you see the admin account (user 1) on the page "Protected users". So you guess he is protected. Than you try, but he isn't. So you just enable all protections, but this has no effect, user one is not protected from edit of users who has the right "administer users". All the other users without this privilege aren't able to edit other users.
I looked briefly into the large README.txt. It is there, but there is so much Text that it's easily overlooked. Under "SETTINGS:" you can read: "This effectively amounts to no protections. It is suggested that you turn off as many default administrator bypass settings as possible ..."
Improvements:
1) The README is plain text. > I suggest to use Markdown and emphasize **important parts** like the above one.
2) To me it seems to be the most important pitfall that you enable the module and expect that the admin is save ;)
Therefore put it on the module page and somehow on the top of the module: **Enabling this module will not protect any user from being edited by users with the permission "administer users". To achive this you need to change the "Administrator bypass defaults" under "protection defaults". For more informations read the sections SETTINGS and HOW THE MODULE DETERMINES A PROTECTION**
Comment #8
hunmonk CreditAttribution: hunmonk commented@osopolar: please file your request in a separate issue instead of hijacking this one.
Comment #9
osopolarhmmm i was not aware hijacking this issue, i just tried to answer #5, thought this was common mistake, but you are right, i´ll open a new issue.