uuid:
  - value: 4d91d3dd-a1e8-4e31-a4d9-b8a302e903e3
langcode:
  - value: en
type:
  - target_id: daily_email
    target_type: node_type
    target_uuid: 8bde1f2f-eef9-4f2d-ae9c-96921f8193d7
revision_timestamp:
  - value: '2025-07-29T16:29:25+00:00'
revision_uid:
  - target_type: user
    target_uuid: b8966985-d4b2-42a7-a319-2e94ccfbb849
revision_log: {  }
status:
  - value: true
uid:
  - target_type: user
    target_uuid: b8966985-d4b2-42a7-a319-2e94ccfbb849
title:
  - value: 'The permissions issue that took down a website'
created:
  - value: '2025-07-24T16:28:31+00:00'
changed:
  - value: '2025-07-29T16:29:25+00:00'
promote:
  - value: false
sticky:
  - value: false
default_langcode:
  - value: true
revision_translation_affected:
  - value: true
path:
  - alias: ''
    pid: null
    langcode: en
body:
  - value: |-
      Yesterday, I wrote about [the difficulty of removing permissions][0] from users once they have them, and why users should only have access to features they need.

      If a user only needs to perform a few tasks, they do not need an Administrator role that gives them access to everything.

      This, unfortunately, was the case on a project I was consulting on a few years ago.

      I had a message from the client saying the website was offline and if I'd done anything to cause it.

      It turned out that an employee of the client was working on the website, and they had an Administrator role.

      Because of this, they saw a message that an unsupported module was installed and that it needed to be updated.

      They clicked it and the module updated.

      This was a new version of the module with a breaking change, and updating it broke the website and took it offline.

      The previous version was restored and the website was brought back online, but if the user hadn't had the Administrator role, they wouldn't have been able to update the module and take down the website.

      [0]: /daily/2025/07/23/its-hard-take-things-away
    format: markdown
    processed: |
      <p>Yesterday, I wrote about <a href="http://localhost:8888/daily/2025/07/23/its-hard-take-things-away">the difficulty of removing permissions</a> from users once they have them, and why users should only have access to features they need.</p>
      <p>If a user only needs to perform a few tasks, they do not need an Administrator role that gives them access to everything.</p>
      <p>This, unfortunately, was the case on a project I was consulting on a few years ago.</p>
      <p>I had a message from the client saying the website was offline and if I'd done anything to cause it.</p>
      <p>It turned out that an employee of the client was working on the website, and they had an Administrator role.</p>
      <p>Because of this, they saw a message that an unsupported module was installed and that it needed to be updated.</p>
      <p>They clicked it and the module updated.</p>
      <p>This was a new version of the module with a breaking change, and updating it broke the website and took it offline.</p>
      <p>The previous version was restored and the website was brought back online, but if the user hadn't had the Administrator role, they wouldn't have been able to update the module and take down the website.</p>
    summary: ''
field_daily_email_cta:
  - target_type: node
    target_uuid: 2a6bc8bd-a1e0-4f62-8112-47c3107020c5