Closed ivywe closed 2 years ago
A Root user is necessary but it doesn't need to be id 2 (at least it shouldn't).
I know we have functions in Geeklog that searches for the first Root user to apply for example security groups when a plugin is installed.
We should probably double check all this just to make sure things work as long as there is one Root user (and it doesn't matter what id it is). If not then we should either fix it (ideal) or lock down user id 2 to prevent it from being deleted.
Confirmed. I checked the code in USER_deleteAccount and it does check to make sure 1 root user is left or the user cannot be deleted. This is the delete user function used by user settings page and the admin user page so everything should be covered.
Admin 2 user id is necessary. but any root user can remove user id 2.