Module Description
This module allows fine-grained access control of user administrators, by providing various editing protection for users. The protections can be specific to a user, or applied to all users in a role.

Note: Up until the D7 version, User Protect has a complicated configuration -- please take the time to read the very extensive module help before using it!

Provided protections
The following protections are supported:


* Username
* E-mail address
* Password
* Status
* Roles
* Edit operation (user/X/edit)
* Delete operation (user/X/delete or user/X/cancel)

Additionally, the following protections are supported in 7.x-1.x and earlier:


* OpenID identities

How it works
There are two types of protection rules:


* User based protection rules These apply to a single user.
* Role based protection rules These apply to all users that have that role.

A protection rule prevents any user to perform the selected editing operations (such as changing password or changing mail address) on the specified user. There are two exceptions in which a configured protection rule does not apply:


* The logged in user has permission to bypass the protection rule. In Drupal 8, this can be configured with an user permission. In Drupal 7, by adding a bypass rule at /admin/config/people/userprotect/administrator_bypass (for one specific user) or by changing the "Administrator bypass defaults" at /admin/config/people/userprotect/protection_defaults (for all users, except the ones for which a bypass rule exists).
* The specified user is the current logged in user. Protection rules don't count for the user itself. Instead, there are permissions available to prevent an user from editing its own account, username, e-mail address or password.

Protected fields will be disabled or hidden on the form at user/X/edit. The edit and delete operations are protected by controlling access on the paths user/X/edit and user/X/delete. The protections also apply on bulk operations provided by Drupal core and (for Drupal 7 only) on bulk operations provided by Views Bulk Operations.

No protection to the role itself, only to users in the role User protect does *not* limit an user in assigning/revoking certain roles in general. A role based protection rule only limits access to users that currently have that role. It does not protect the role itself. For limiting the roles that can be assigned/revoked, try the RoleAssign module or the Role delegation module.

Compatibility The module is compatible with the following modules:


* RoleAssign
* Views Bulk Operations (D7 only)

For compatibility with the Role Delegation module, there is an issue: #1984520: "User Role Delegation" module overrides User Protect settings, but I would like the opposite behavior.

Similar modules
See https://drupal.org/node/980082 for a comparison of user edit protection modules.

Authors, maintainers
Versions 4.7.x-1.x - 7.x-1.x were written by Chad Phillips. Version 8.x-1.x is written and maintained by MegaChriz.

Project Usage
18257
Creation Date
Changed Date
Security Covered
Covered By Security Advisory
Version Available
Production
Module Summary
This module aims to solve the issue of fine-grained access control for user administrators by providing various editing protections for users based on specific criteria like username, email address, password, status, roles, and operations.
Data Name
userprotect

OPENAI CHATBOT

OPENAI CHATBOT

11:45:21
Generic Chatbot
Hi, I'm a Drupal module expert powered by OpenAI, answering your questions about the Drupal module ecosystem. How can I be helpful today? Please note that we will log your question.