- Issue created by @prudloff
- 🇳🇴Norway eiriksm Norway
Hm, that seems counterintuitive with the name of the module :)
Also, it's quite a different attack surface to edit a super user, compared to an admin role, which may or may not be super users per se.
Personally I would rather make this module do nothing if that setting is enabled. Thoughts?
- 🇫🇷France prudloff Lille
IMHO an user with admin role is basically the same thing as a super user (except the UID is not hardcoded).
A role that hasis_admin: truein its config automatically has every permission.Also, it's quite a different attack surface to edit a super user, compared to an admin role, which may or may not be super users per se.
I am not sure the attack surface is different.
Getting control of user 1 gives every permission.
Getting control of a user with an admin role (a role that has the is_admin flag) gives every permission. - 🇳🇴Norway eiriksm Norway
Hm, you may be right about this. I guess I was not up to date on the role flag, I thought it was possible to override the permissions even if the role was admin.
Happy to review some code suggestions if you have them :)
- Status changed to Needs review
14 days ago 3:52pm 24 March 2025