Issue #540008 by kristiaanvandeneynde, Spokje, daffie, clayfreeman, alexpott,...

Issue #540008 by kristiaanvandeneynde, Spokje, daffie, clayfreeman, alexpott, eelkeblok, michaelfavia, ianthomas_uk, zaporylie, johnwebdev, abhisekmazumdar, anmolgoyal74, greggles, quietone, shaal, catch, rivimey, AaronMcHale, Berdir, ndf, xjm, finne, Wim Leers, esolitos, heddn, webchick, Bojhan, andypost, efpapado, benjifisher, lauriii, Gábor Hojtsy, moshe weitzman, harings_rob: Add a container parameter that can remove the special behavior of UID#1

core/assets/scaffold/files/default.services.yml

 parameters:
+  # Toggles the super user access policy. If your website has at least one user
+  # with the Administrator role, it is advised to set this to false. This allows
+  # you to make user 1 a regular user, strengthening the security of your site.
+  security.enable_super_user: true
   session.storage.options:
     # Default ini options for sessions.
     #

core/core.services.yml

@@ -8,6 +8,7 @@ parameters:
   # function properly before that runs.
   cache_default_bin_backends: []
   memory_cache_default_bin_backends: []
+  security.enable_super_user: true
   session.storage.options:
     gc_probability: 1
     gc_divisor: 100

core/lib/Drupal/Core/CoreServiceProvider.php

@@ -18,6 +18,7 @@
 use Drupal\Core\DependencyInjection\Compiler\RegisterStreamWrappersPass;
 use Drupal\Core\DependencyInjection\Compiler\StackedKernelPass;
 use Drupal\Core\DependencyInjection\Compiler\StackedSessionHandlerPass;
+use Drupal\Core\DependencyInjection\Compiler\SuperUserAccessPolicyPass;
 use Drupal\Core\DependencyInjection\Compiler\TaggedHandlersPass;
 use Drupal\Core\DependencyInjection\Compiler\TwigExtensionPass;
 use Drupal\Core\DependencyInjection\ContainerBuilder;
@@ -66,6 +67,8 @@ public function register(ContainerBuilder $container) {
 
     $container->addCompilerPass(new DevelopmentSettingsPass());
 
+    $container->addCompilerPass(new SuperUserAccessPolicyPass());
+
     $container->addCompilerPass(new ProxyServicesPass());
 
     $container->addCompilerPass(new BackendCompilerPass());

core/lib/Drupal/Core/DependencyInjection/Compiler/SuperUserAccessPolicyPass.php

+<?php
+
+namespace Drupal\Core\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * Removes the super user access policy when toggled off.
+ */
+class SuperUserAccessPolicyPass implements CompilerPassInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function process(ContainerBuilder $container): void {
+    if ($container->getParameter('security.enable_super_user') === FALSE) {
+      $container->removeDefinition('access_policy.super_user');
+      $container->removeAlias('Drupal\Core\Session\SuperUserAccessPolicy');
+    }
+  }
+
+}

core/lib/Drupal/Core/Test/FunctionalTestSetupTrait.php

@@ -60,6 +60,15 @@ trait FunctionalTestSetupTrait {
    */
   protected $apcuEnsureUniquePrefix = FALSE;
 
+  /**
+   * Set to TRUE to make user 1 a super user.
+   *
+   * @see \Drupal\Core\Session\SuperUserAccessPolicy
+   *
+   * @var bool
+   */
+  protected bool $usesSuperUserAccessPolicy;
+
   /**
    * Prepares site settings and services before installation.
    */
@@ -138,6 +147,15 @@ protected function prepareSettings() {
     // from running during tests.
     $services = $yaml->parse($content);
     $services['parameters']['session.storage.options']['gc_probability'] = 0;
+    // Disable the super user access policy so that we are sure our tests check
+    // for the right permissions.
+    if (!isset($this->usesSuperUserAccessPolicy)) {
+      $test_file_name = (new \ReflectionClass($this))->getFileName();
+      // @todo Decide in https://www.drupal.org/project/drupal/issues/3437926
+      //   how to remove this fallback behavior.
+      $this->usesSuperUserAccessPolicy = !str_starts_with($test_file_name, $this->root . DIRECTORY_SEPARATOR . 'core');
+    }
+    $services['parameters']['security.enable_super_user'] = $this->usesSuperUserAccessPolicy;
     if ($this->strictConfigSchema) {
       // Add a listener to validate configuration schema on save.
       $test_file_name = (new \ReflectionClass($this))->getFileName();

core/modules/block/tests/src/Functional/BlockHtmlTest.php

@@ -20,6 +20,14 @@ class BlockHtmlTest extends BrowserTestBase {
    */
   protected static $modules = ['block', 'block_test'];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/block/tests/src/Functional/BlockXssTest.php

@@ -25,6 +25,14 @@ class BlockXssTest extends BrowserTestBase {
    */
   protected static $modules = ['block', 'block_content', 'menu_ui', 'views'];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/block/tests/src/FunctionalJavascript/BlockContextualLinksTest.php

@@ -18,6 +18,14 @@ class BlockContextualLinksTest extends WebDriverTestBase {
    */
   protected static $modules = ['user', 'block', 'contextual'];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/comment/tests/src/Functional/CommentStatisticsTest.php

@@ -15,6 +15,14 @@
  */
 class CommentStatisticsTest extends CommentTestBase {
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * A secondary user for posting comments.
    *

core/modules/config/tests/src/Functional/ConfigExportImportUITest.php

@@ -70,6 +70,14 @@ class ConfigExportImportUITest extends BrowserTestBase {
    */
   protected static $modules = ['config', 'node', 'field'];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/config/tests/src/Functional/LanguageNegotiationFormOverrideTest.php

@@ -16,6 +16,14 @@ class LanguageNegotiationFormOverrideTest extends BrowserTestBase {
 
   protected static $modules = ['language', 'locale', 'locale_test'];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/content_moderation/tests/src/Functional/ModerationContentTranslationTest.php

@@ -36,6 +36,14 @@ class ModerationContentTranslationTest extends BrowserTestBase {
     'content_translation',
   ];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/content_moderation/tests/src/Functional/ModerationFormTest.php

@@ -30,6 +30,14 @@ class ModerationFormTest extends ModerationStateTestBase {
     'content_translation',
   ];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/content_moderation/tests/src/Functional/ModerationLocaleTest.php

@@ -29,6 +29,14 @@ class ModerationLocaleTest extends ModerationStateTestBase {
     'content_translation',
   ];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/content_moderation/tests/src/Functional/ModerationStateBlockTest.php

@@ -14,6 +14,14 @@
  */
 class ModerationStateBlockTest extends ModerationStateTestBase {
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/content_moderation/tests/src/Functional/WorkspaceContentModerationIntegrationTest.php

@@ -22,6 +22,14 @@ class WorkspaceContentModerationIntegrationTest extends ModerationStateTestBase
    */
   protected static $modules = ['node', 'workspaces'];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/content_moderation/tests/src/Kernel/EntityStateChangeValidationTest.php

@@ -31,6 +31,14 @@ class EntityStateChangeValidationTest extends KernelTestBase {
     'workflows',
   ];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * An admin user.
    *

core/modules/content_translation/tests/src/Functional/ContentTranslationEnableTest.php

@@ -20,6 +20,14 @@ class ContentTranslationEnableTest extends BrowserTestBase {
    */
   protected static $modules = ['entity_test', 'menu_link_content', 'node'];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/content_translation/tests/src/Functional/ContentTranslationNewTranslationWithExistingRevisionsTest.php

@@ -25,6 +25,14 @@ class ContentTranslationNewTranslationWithExistingRevisionsTest extends ContentT
     'node',
   ];
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */

core/modules/content_translation/tests/src/Functional/ContentTranslationOutdatedRevisionTranslationTest.php

@@ -14,6 +14,14 @@
  */
 class ContentTranslationOutdatedRevisionTranslationTest extends ContentTranslationPendingRevisionTestBase {
 
+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
   /**
    * {@inheritdoc}
    */