Roles

Drupal Logo

Drupal 8: Prevent User Role Elevation

25th October 2019 - 4 minutes read time

Drupal has a little flaw in its user permission system that allows users to give themselves, or other users, roles that they shouldn't be able to. If the user has the 'administer users' permission this essentially gives them access to alter roles for any user on the system, meaning that they can grand administrator access to any user on the system. The fix to this involves a couple of actions.

Read the full article