13th September 2017

The slow but timely death of user 1

Kristiaan Van den Eynde
Senior Developer
Kill user 1

Change is hard, but sometimes it's also for the better.

All platforms have their issues, and Drupal is no different. These quirks, known as Drupalisms, can be the source of many WTF moments for developers as the code or functionality does not work in a way they expected.

As Drupal leaves the island of doing things in its own way, one of the stowaways still onboard is user 1.

User 1 is the first Drupal user on a Drupal site with the user ID number of 1. User 1 is hardcoded to have all permissions; their access cannot be controlled through the administration interface. User 1 has all the site keys and has to be dealt with uniquely in code.

It’s time for us to kill user 1. 

In its place, all users will be treated in the same way using the standard roles and permissions model.

Key benefits

There are several benefits, some of them rather major:

Security improvement: Once a site has been built or has proper roles defined, you can take away the admin role from all users. This ensures there are no accounts that put your entire website at risk should they be compromised.

Code stability: I had to fix a few dozen tests because they relied on user 1 being special. The tests were not functioning meaning they were not actually covering the code they should have. Removing the UID1 Drupalism will ensure our tests need to run with the right permissions defined.

Consistency: What good is an access layer if there is a special exception that can bypass everything? An example of this being a downside is a bunch of administrative local tasks (tabs) or actions ("+"-icon links) being put behind sensible access checks, only to have all gazillion of them clutter the UI for user 1 because he has god-mode haxx turned on.

Reducing the number of Drupalisms: We need to distinguish between Drupalisms that define what Drupal is and those that negatively characterize Drupal by needlessly increasing its learning curve. The special case of UID1 belongs to the latter category. There are very few systems that still have god-mode accounts. And for good reason (see above items). So let's destroy yet another barrier for outside devs to join our project.

Summary

The issue to remove user 1 has been around since 2009, so the concept isn’t new. I resurrected the issue earlier this year and it seems to be building momentum now.

If this is something that interests you, then please head over to the issue queue, read the discussions and try out the patch: https://www.drupal.org/node/540008

Let’s get this into Drupal 8.5.x!

Interested in joining our team? Deeson is hiring!