[6.x] Default the create user wizard super toggle to false#14927
Merged
jasonvarga merged 3 commits intoJul 3, 2026
Conversation
The user creation wizard defaults the "Super Admin" toggle to on for any super user creating an account, making it easy to grant super admin unintentionally. This adds a `statamic.users.wizard_default_super` config option (default `true`, preserving current behaviour) so the toggle can be made an explicit opt-in by setting it to `false`. The toggle default is still gated on `canCreateSupers`, so a non-super creator can never end up with a pre-checked super toggle, and the server-side guard in the store method is unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Member
|
I don't think we need the config. We can just make it default to off. |
Member
|
I can make that change though. |
Member
|
I have made the change and edited your title/description to reflect what's actually happening. Also updated some missing test coverage while in the area. Thanks for the nudge on this! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This changes the default of the super user toggle to false. This prevents high privileged users being created if you breeze through the wizard without paying attention. It's better to lock down permissions by default.
You can still toggle it back on with a single click, or if you breeze past and forget, it's simple to upgrade them to a super after the fact.
Also updated some missing test coverage while in the area.
Closes statamic/ideas#1467