- Issue created by @kristiaanvandeneynde
Now that the special powers tied to user 1 are neatly contained in an access policy, we can switch it off. This is what was made possible in π Add a container parameter that can remove the special behavior of UID#1 Fixed .
However, that issue only made sure that core tests run without the super user policy, proving that they have the correct permissions assigned in their setup. The updates to core tests are being tackled here: π [Meta] Fix all tests that rely on UID1's super user behavior Active
For contrib, we need to come up with a plan on how to trigger a deprecation warning when a tests runs without setting $usesSuperUserAccessPolicy to FALSE. That is being discussed here:
π
Decide on when/how we will run contrib/custom tests without the super user access policy
Active
The end goal is to completely remove the super user access policy from core as it's a possible attack vector.
Finally, we need to devise a way to recover your website if you removed your own admin role by accident, because you'll no longer be able to rely on user 1 having permanent admin powers. This is being discussed here: π Introduce recovery tool or documentation for when someone is locked out of their own site Active
N/A
Resolve all linked issues in their issue, keep this issue as a parent for meta discussion.
Resolve all linked issues
N/A
N/A
N/A
N/A
Active
11.0 π₯
Last updated