Contrib.social

The admin user and role should not be forced to bypass the password policy

Open on Drupal.org β†’
Created on 28 September 2023, 9 months ago
Updated 3 October 2023, 9 months ago

Problem/Motivation

A security scan urged us to modify the system to force strong passwords.
It must not be possible to create users in the system with a weak password.
This module forces admin role to bypass password policies and can't turn off this "feature" so I can't force admin users to follow password policy rules. (check attached screenshoots)

Steps to reproduce

- Install the module.
- Set password policy rules.
- Create an user with weak password as admin.

Proposed resolution

- Remove from /admin/people/permissions the "Bypass password policy"
- Add "roles" field to Policy bypass section at admin/config/people/password_policy - On your own way probably you can handle the need which doesn't meets perfectly with Drupal permission control logic.

Note

I understand that as an admin you could change the password policy and e.g. set admin role to bypass password policy and create the user with weak password.
My bug report is not intended to solve this.
The goal is to make the module capable to prevent create users with weak password by an admin by mistake or due to superficiality.

πŸ› Bug report
Status

Closed: works as designed

Version

1.0

Component

Code

Created by

πŸ‡­πŸ‡ΊHungary kepesv

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @kepesv
  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary kepesv
  • Comment 9 months ago β†’
    πŸ‡§πŸ‡ͺBelgium kriboogh

    Just for clarity, by admin you mean user 1 right?

    Removing the bypass permission is not an option as other sites need this feature. User 1 always is assigned all permissions by design of drupal.
    Knowing that from a security point of view, it is preferred to disable user 1 and not use this account to do changes on your site but rather use a separate "admin" role where you can assign all (needed) permissions.

    But we will check the code to see why the policy is not applied when you create a new user when you are logged in as user 1. The check should be applied against the new user object not the logged in user. We did a bug fix not long ago to check the policy when a new user is created/updated. Maybe something else surfaced.

  • Comment 9 months ago β†’
    πŸ‡­πŸ‡ΊHungary kepesv

    "Just for clarity, by admin you mean user 1 right?" - Right!
    "But we will check the code" - Great, thank you!

  • Status changed to Closed: works as designed 9 months ago
  • Comment 9 months ago β†’
    πŸ‡§πŸ‡ͺBelgium kriboogh

    I just tested this with the latest version.

    As an admin (user 1), which by passes the permission by default. If you create a new user, the policy is applied to the new account. So even as user 1 you can't create an account that does not full fill the policy.
    Only setting the password on user 1 will by pass the policy, a solution for this, is as I explained before that you disable user 1.

    I think the other "issue" is that when you assign a role to be an admin role in Drupal, it automatically gets all permissions. To prevent this you need to set the administrator role settings to none and manage all permissions manually. see https:///admin/people/role-settings

    So unless I missed something in the initial request, I think the module works as it should.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024