Introduce recovery tool or documentation for when someone is locked out of their own site

Created on 5 April 2024, 9 months ago
Updated 17 April 2024, 9 months ago

Problem/Motivation

As described in 🌱 [Meta] Plan for deprecating and eventually removing the super user access policy Active , the goal is to completely remove the super user access policy from core. If we do so and the last admin of a site accidentally removes their own admin role, the site is left without an admin. In such a scenario we should provide help with recovering the site.

Steps to reproduce

  1. Log in as the only admin
  2. Edit your user and remove the admin role
  3. Click save and be locked out of your site

Proposed resolution

Option 1: Recovery tool

Make a recovery.php which is behind a flag in the settings file similar to update.php (update_free_access). If someone locks themselves out of their website, we can use said script to assign the Administrator role to a user of their choosing. if the Administrator role no longer exists, the script will create one.

Option 2: Documentation

Document how to assign an admin role to a user using drush or other tools, but do not specifically add a recovery.php as it could be a vector for attack.

Remaining tasks

Discuss and implement tool or write documentation

User interface changes

N/A

API changes

None, new tool perhaps

Data model changes

N/A

Release notes snippet

TBD

πŸ“Œ Task
Status

Active

Version

11.0 πŸ”₯

Component
BaseΒ  β†’

Last updated about 4 hours ago

Created by

πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @kristiaanvandeneynde
  • πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium
  • πŸ‡«πŸ‡·France andypost

    It could be added to existing security help topic (core/modules/help/help_topics/core.security.html.twig)

  • πŸ‡ΊπŸ‡ΈUnited States ChaseOnTheWeb USA

    Is it desired to support the use case of a Drupal site without an administrator user? Here is an Option 3: Prohibit the last administrator user from being deleted or de-roled. Or, alternatively, add a prominent warning in the UI when the user attempts to do so.

  • πŸ‡¬πŸ‡§United Kingdom longwave UK

    A simpler version of option 1 is to add something to settings.php along the lines of update_free_access but that automatically assigns the Administrator role to a specified user ID, even if that role has been removed in the database?

  • πŸ‡§πŸ‡ͺBelgium kristiaanvandeneynde Antwerp, Belgium

    Re #4 it doesn't have to be mutually exclusive. While we technically could babysit users via the UI, we also have to make sure we still have a recovery tool for when someone inevitably breaks their site through code or DB manipulations. This issue is about that recovery mechanism, we could discuss prevention and awareness in another issue.

    I like the suggestion in #5 as it's quite simple to implement. Every request or login we check for a flag and if set, we check if the user is still an admin and recover their admin role if not. However, it leaves a lot to be answered:

    1. Do we choose the admin role name and machine name for them if it's gone? Or do we ask them to specify?
    2. What if they specify a machine name that's already taken, but not an admin role? Do we throw an exception?

    Perhaps we need a few settings:

    // Set to a user ID to recover the admin role for said user upon login.
    $settings['recover_admin_role_for_user'] = FALSE;
    // If the administrator role was deleted, it will be recreated with this name and label.
    // Throws an exception if the machine name is already taken but the role is not an admin role.
    // Only takes effect while $settings['recover_admin_role_for_user'] is not FALSE.
    $settings['recover_admin_role_machine_name'] = 'administrator';
    $settings['recover_admin_role_label'] = 'Administrator';
    
Production build 0.71.5 2024