Anonymous and Authenticated roles are deletable

Created on 30 July 2023, over 1 year ago
Updated 3 January 2024, 12 months ago

Problem/Motivation

It is possible to delete the anonymous and authenticated user roles from a Drupal installation. Even though this is not possible through the UI, it is possible to delete these roles by importing configuration that deletes these roles, or by (custom or contrib modules) uninstall hooks that (sometimes unknowingly) remove these roles.

Examples of this unwanted behavior can be found in https://www.drupal.org/project/webform/issues/3346583#comment-15163649 🐛 New or edited form fields not displayed on front-end when 'authenticated' user role is not present Closed: duplicate , https://www.drupal.org/project/drupal/issues/3368953 💬 Role Authenticated User is not visible Closed: duplicate , https://www.drupal.org/project/votingapi_widgets/issues/3265224 🐛 After uninstalling the module the Anonymous and Authenticated user roles where deleted! Active .

Although I fully embrace the flexibility of Drupal that allows developers to fully customize their installation to their wishes, I believe that these roles should always be present. It seems that core itself relies on these roles being present, but also many contrib modules rely on those roles (see examples given above).

Steps to reproduce

Easy, not tested : Install and then uninstall Voting API Widgets module (see https://www.drupal.org/project/votingapi_widgets/issues/3265224 🐛 After uninstalling the module the Anonymous and Authenticated user roles where deleted! Active )

Less easy, own finding:
- Use drush-command config:export to export the configuration (including the anonymous and authenticated user role).
- Delete the newly exported configuration file for he anonymous and/or authenticated role
- Import the configuration files (this step should delete the roles, as their configuration is not existing any more).

Above has been achieved in Drupal 10.1, Drush 12.1 on PHP 8.2 , but might apply to other configurations as well.

Proposed resolution

I'm not sure. Of course, not including the anonymous and authenticated user roles in the config export/import would prevent this problem, but would also mean less freedom to change or edit the configuration. II think it would be best to still be able to change everything except the machine names of the roles, and not be able to delete those roles in any way, including the ways described above. That would also mean that e.g. uninstall-hooks from other modules should not be able to cause deletion of these roles.

User interface changes

None, as deleting the Anonymous and Authenticated user roles through the UI is already impossible.

🐛 Bug report
Status

Active

Version

11.0 🔥

Component
User system 

Last updated about 18 hours ago

Created by

🇳🇱Netherlands Dimiter

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024