Anonymous and Authenticated roles are deletable

Created on 30 July 2023, over 1 year ago

Updated 3 January 2024, 11 months ago

Problem/Motivation

It is possible to delete the anonymous and authenticated user roles from a Drupal installation. Even though this is not possible through the UI, it is possible to delete these roles by importing configuration that deletes these roles, or by (custom or contrib modules) uninstall hooks that (sometimes unknowingly) remove these roles.

Examples of this unwanted behavior can be found in https://www.drupal.org/project/webform/issues/3346583#comment-15163649 🐛 New or edited form fields not displayed on front-end when 'authenticated' user role is not present Closed: duplicate , https://www.drupal.org/project/drupal/issues/3368953 💬 Role Authenticated User is not visible Closed: duplicate , https://www.drupal.org/project/votingapi_widgets/issues/3265224 🐛 After uninstalling the module the Anonymous and Authenticated user roles where deleted! Active .

Although I fully embrace the flexibility of Drupal that allows developers to fully customize their installation to their wishes, I believe that these roles should always be present. It seems that core itself relies on these roles being present, but also many contrib modules rely on those roles (see examples given above).

Steps to reproduce

Easy, not tested : Install and then uninstall Voting API Widgets module (see https://www.drupal.org/project/votingapi_widgets/issues/3265224 🐛 After uninstalling the module the Anonymous and Authenticated user roles where deleted! Active )

Less easy, own finding:
- Use drush-command config:export to export the configuration (including the anonymous and authenticated user role).
- Delete the newly exported configuration file for he anonymous and/or authenticated role
- Import the configuration files (this step should delete the roles, as their configuration is not existing any more).

Above has been achieved in Drupal 10.1, Drush 12.1 on PHP 8.2 , but might apply to other configurations as well.

Proposed resolution

I'm not sure. Of course, not including the anonymous and authenticated user roles in the config export/import would prevent this problem, but would also mean less freedom to change or edit the configuration. II think it would be best to still be able to change everything except the machine names of the roles, and not be able to delete those roles in any way, including the ways described above. That would also mean that e.g. uninstall-hooks from other modules should not be able to cause deletion of these roles.

User interface changes

None, as deleting the Anonymous and Authenticated user roles through the UI is already impossible.

🐛 Bug report

Status

Active

Version

11.0 🔥

Component

User system →

Last updated 2 days ago

Maintained by
🇺🇸United States @moshe weitzman
🇧🇪Belgium @kristiaanvandeneynde

Created by

🇳🇱Netherlands Dimiter

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @Dimiter
Comment over 1 year ago →
cilefen
Comment over 1 year ago →
🇳🇱Netherlands Dimiter
Comment over 1 year ago →
🇳🇱Netherlands Dimiter
Comment about 1 year ago →
🇫🇷France fgm Paris, France
Not only that, but they are also not exported, as mentioned on 🐛 Config exporting deletes user anonymous and user authenticated if a dependency on a config_exclude_modules exists Active , causing loss of permissions applied to these roles.
Comment 11 months ago →
🇧🇪Belgium gorkagr
Although fixed, another example of a module (comment module of core) affected if a role (authenticated in that case) is deleted.
Comment 11 months ago →
🇮🇹Italy apaderno Brescia, 🇮🇹
It should be noticed that, in some cases, the roles are deleted because they get some extra permissions that are defined from a module which is then uninstalled.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024