Add a sniff for checking against hard-coding uid=1 permissions

Created on 25 May 2018, over 6 years ago

Updated 28 July 2023, over 1 year ago

Problem/Motivation

In the context of 📌 Add a container parameter that can remove the special behavior of UID#1 Fixed it was found that several contrib modules hardcode a check for user ID 1 (traditionally, in Drupal this user receives all possible permissions due to a hardcoded check in the access check routine). This is a bad practice either way, but will become more problematic when core actually removes this behaviour, because site maintainers may become less careful about uid=1.

Proposed resolution

Add a sniff to the DrupalPractice profile that seeks out code checking against the user ID being equal to 1, pointing to the risks and the above issue (may later be changed to point to a change record outlining the change).

Remaining tasks

Agree this makes sense as a change for Coder
Write a patch
Commit

✨ Feature request

Status

Active

Version

2.0

Component

Coder Sniffer

Created by

🇳🇱Netherlands eelkeblok Netherlands 🇳🇱

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
solideogloria
I agree that this change makes sense for Coder.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024