From 05a3b374bbb4ac808f784c772a700c6aa401b3d2 Mon Sep 17 00:00:00 2001
From: Michael Stenta <mike@mstenta.net>
Date: Sat, 26 Aug 2023 15:58:12 -0400
Subject: [PATCH] Restrict access to user 1 so that Account Admins cannot edit
 it.

---
 .../farm_role_account_admin.module            | 22 +++++++++++
 .../tests/src/Functional/UserAccessTest.php   | 39 +++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 modules/core/role/modules/account_admin/farm_role_account_admin.module
 create mode 100644 modules/core/role/modules/account_admin/tests/src/Functional/UserAccessTest.php

diff --git a/modules/core/role/modules/account_admin/farm_role_account_admin.module b/modules/core/role/modules/account_admin/farm_role_account_admin.module
new file mode 100644
index 000000000..d56f3e58d
--- /dev/null
+++ b/modules/core/role/modules/account_admin/farm_role_account_admin.module
@@ -0,0 +1,22 @@
+<?php
+
+/**
+ * @file
+ * Hooks implemented by the farmOS Account Admin Role module.
+ */
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Entity\EntityInterface;
+use Drupal\Core\Session\AccountInterface;
+
+/**
+ * Implements hook_ENTITY_TYPE_access().
+ */
+function farm_role_account_admin_user_access(EntityInterface $entity, $operation, AccountInterface $account) {
+
+  // Only user 1 can access user 1.
+  if ($entity->id() == 1 && $account->id() != 1) {
+    return AccessResult::forbidden();
+  }
+  return AccessResult::neutral();
+}
diff --git a/modules/core/role/modules/account_admin/tests/src/Functional/UserAccessTest.php b/modules/core/role/modules/account_admin/tests/src/Functional/UserAccessTest.php
new file mode 100644
index 000000000..c2d6f68bc
--- /dev/null
+++ b/modules/core/role/modules/account_admin/tests/src/Functional/UserAccessTest.php
@@ -0,0 +1,39 @@
+<?php
+
+namespace Drupal\Tests\farm_role_account_admin\Functional;
+
+use Drupal\Tests\farm_test\Functional\FarmBrowserTestBase;
+
+/**
+ * Tests access to user 1.
+ *
+ * @group farm
+ */
+class UserAccessTest extends FarmBrowserTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $modules = [
+    'farm_role_account_admin',
+  ];
+
+  /**
+   * Test user 1 access.
+   */
+  public function testUser1Access() {
+
+    // Create and login a user with farm_account_admin role.
+    $user = $this->createUser();
+    $user->addRole('farm_account_admin');
+    $user->save();
+    $this->drupalLogin($user);
+
+    // Confirm that the user cannot access user 1.
+    $this->drupalGet('user/1');
+    $this->assertSession()->statusCodeEquals(403);
+    $this->drupalGet('user/1/edit');
+    $this->assertSession()->statusCodeEquals(403);
+  }
+
+}