Issue #540008 by kristiaanvandeneynde, Spokje, daffie, clayfreeman, alexpott, eelkeblok, michaelfavia, ianthomas_uk, zaporylie, johnwebdev, abhisekmazumdar, anmolgoyal74, greggles, quietone, shaal, catch, rivimey, AaronMcHale, Berdir, ndf, xjm, finne, Wim Leers, esolitos, heddn, webchick, Bojhan, andypost, efpapado, benjifisher, lauriii, Gábor Hojtsy, moshe weitzman, harings_rob: Add a container parameter that can remove the special behavior of UID#1

2024-04-09 11:48:50 +01:00 · 2024-04-09 11:48:50 +01:00 · 9baa43976c
parent 955418c2df
commit 9baa43976c
80 changed files with 713 additions and 0 deletions
--- a/core/assets/scaffold/files/default.services.yml
+++ b/core/assets/scaffold/files/default.services.yml
@ -1,4 +1,8 @@
 parameters:
+  # Toggles the super user access policy. If your website has at least one user
+  # with the Administrator role, it is advised to set this to false. This allows
+  # you to make user 1 a regular user, strengthening the security of your site.
+  security.enable_super_user: true
  session.storage.options:
    # Default ini options for sessions.
    #
--- a/core/core.services.yml
+++ b/core/core.services.yml
@ -8,6 +8,7 @@ parameters:
  # function properly before that runs.
  cache_default_bin_backends: []
  memory_cache_default_bin_backends: []
+  security.enable_super_user: true
  session.storage.options:
    gc_probability: 1
    gc_divisor: 100
--- a/core/lib/Drupal/Core/CoreServiceProvider.php
+++ b/core/lib/Drupal/Core/CoreServiceProvider.php
@ -18,6 +18,7 @@ use Drupal\Core\DependencyInjection\Compiler\RegisterServicesForDestructionPass;
 use Drupal\Core\DependencyInjection\Compiler\RegisterStreamWrappersPass;
 use Drupal\Core\DependencyInjection\Compiler\StackedKernelPass;
 use Drupal\Core\DependencyInjection\Compiler\StackedSessionHandlerPass;
+use Drupal\Core\DependencyInjection\Compiler\SuperUserAccessPolicyPass;
 use Drupal\Core\DependencyInjection\Compiler\TaggedHandlersPass;
 use Drupal\Core\DependencyInjection\Compiler\TwigExtensionPass;
 use Drupal\Core\DependencyInjection\ContainerBuilder;
@ -66,6 +67,8 @@ class CoreServiceProvider implements ServiceProviderInterface, ServiceModifierIn

    $container->addCompilerPass(new DevelopmentSettingsPass());

+    $container->addCompilerPass(new SuperUserAccessPolicyPass());
+
    $container->addCompilerPass(new ProxyServicesPass());

    $container->addCompilerPass(new BackendCompilerPass());
--- a/core/lib/Drupal/Core/DependencyInjection/Compiler/SuperUserAccessPolicyPass.php
+++ b/core/lib/Drupal/Core/DependencyInjection/Compiler/SuperUserAccessPolicyPass.php
@ -0,0 +1,23 @@
+<?php
+
+namespace Drupal\Core\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * Removes the super user access policy when toggled off.
+ */
+class SuperUserAccessPolicyPass implements CompilerPassInterface {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function process(ContainerBuilder $container): void {
+    if ($container->getParameter('security.enable_super_user') === FALSE) {
+      $container->removeDefinition('access_policy.super_user');
+      $container->removeAlias('Drupal\Core\Session\SuperUserAccessPolicy');
+    }
+  }
+
+}
--- a/core/lib/Drupal/Core/Test/FunctionalTestSetupTrait.php
+++ b/core/lib/Drupal/Core/Test/FunctionalTestSetupTrait.php
@ -60,6 +60,15 @@ trait FunctionalTestSetupTrait {
   */
  protected $apcuEnsureUniquePrefix = FALSE;

+  /**
+   * Set to TRUE to make user 1 a super user.
+   *
+   * @see \Drupal\Core\Session\SuperUserAccessPolicy
+   *
+   * @var bool
+   */
+  protected bool $usesSuperUserAccessPolicy;
+
  /**
   * Prepares site settings and services before installation.
   */
@ -138,6 +147,15 @@ trait FunctionalTestSetupTrait {
    // from running during tests.
    $services = $yaml->parse($content);
    $services['parameters']['session.storage.options']['gc_probability'] = 0;
+    // Disable the super user access policy so that we are sure our tests check
+    // for the right permissions.
+    if (!isset($this->usesSuperUserAccessPolicy)) {
+      $test_file_name = (new \ReflectionClass($this))->getFileName();
+      // @todo Decide in https://www.drupal.org/project/drupal/issues/3437926
+      //   how to remove this fallback behavior.
+      $this->usesSuperUserAccessPolicy = !str_starts_with($test_file_name, $this->root . DIRECTORY_SEPARATOR . 'core');
+    }
+    $services['parameters']['security.enable_super_user'] = $this->usesSuperUserAccessPolicy;
    if ($this->strictConfigSchema) {
      // Add a listener to validate configuration schema on save.
      $test_file_name = (new \ReflectionClass($this))->getFileName();
--- a/core/modules/block/tests/src/Functional/BlockHtmlTest.php
+++ b/core/modules/block/tests/src/Functional/BlockHtmlTest.php
@ -20,6 +20,14 @@ class BlockHtmlTest extends BrowserTestBase {
   */
  protected static $modules = ['block', 'block_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/block/tests/src/Functional/BlockXssTest.php
+++ b/core/modules/block/tests/src/Functional/BlockXssTest.php
@ -25,6 +25,14 @@ class BlockXssTest extends BrowserTestBase {
   */
  protected static $modules = ['block', 'block_content', 'menu_ui', 'views'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/block/tests/src/FunctionalJavascript/BlockContextualLinksTest.php
+++ b/core/modules/block/tests/src/FunctionalJavascript/BlockContextualLinksTest.php
@ -18,6 +18,14 @@ class BlockContextualLinksTest extends WebDriverTestBase {
   */
  protected static $modules = ['user', 'block', 'contextual'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/comment/tests/src/Functional/CommentStatisticsTest.php
+++ b/core/modules/comment/tests/src/Functional/CommentStatisticsTest.php
@ -15,6 +15,14 @@ use Drupal\comment\Entity\Comment;
 */
 class CommentStatisticsTest extends CommentTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * A secondary user for posting comments.
   *
--- a/core/modules/config/tests/src/Functional/ConfigExportImportUITest.php
+++ b/core/modules/config/tests/src/Functional/ConfigExportImportUITest.php
@ -70,6 +70,14 @@ class ConfigExportImportUITest extends BrowserTestBase {
   */
  protected static $modules = ['config', 'node', 'field'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/config/tests/src/Functional/LanguageNegotiationFormOverrideTest.php
+++ b/core/modules/config/tests/src/Functional/LanguageNegotiationFormOverrideTest.php
@ -16,6 +16,14 @@ class LanguageNegotiationFormOverrideTest extends BrowserTestBase {

  protected static $modules = ['language', 'locale', 'locale_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_moderation/tests/src/Functional/ModerationContentTranslationTest.php
+++ b/core/modules/content_moderation/tests/src/Functional/ModerationContentTranslationTest.php
@ -36,6 +36,14 @@ class ModerationContentTranslationTest extends BrowserTestBase {
    'content_translation',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_moderation/tests/src/Functional/ModerationFormTest.php
+++ b/core/modules/content_moderation/tests/src/Functional/ModerationFormTest.php
@ -30,6 +30,14 @@ class ModerationFormTest extends ModerationStateTestBase {
    'content_translation',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_moderation/tests/src/Functional/ModerationLocaleTest.php
+++ b/core/modules/content_moderation/tests/src/Functional/ModerationLocaleTest.php
@ -29,6 +29,14 @@ class ModerationLocaleTest extends ModerationStateTestBase {
    'content_translation',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_moderation/tests/src/Functional/ModerationStateBlockTest.php
+++ b/core/modules/content_moderation/tests/src/Functional/ModerationStateBlockTest.php
@ -14,6 +14,14 @@ use Drupal\block_content\Entity\BlockContentType;
 */
 class ModerationStateBlockTest extends ModerationStateTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_moderation/tests/src/Functional/WorkspaceContentModerationIntegrationTest.php
+++ b/core/modules/content_moderation/tests/src/Functional/WorkspaceContentModerationIntegrationTest.php
@ -22,6 +22,14 @@ class WorkspaceContentModerationIntegrationTest extends ModerationStateTestBase
   */
  protected static $modules = ['node', 'workspaces'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_moderation/tests/src/Kernel/EntityStateChangeValidationTest.php
+++ b/core/modules/content_moderation/tests/src/Kernel/EntityStateChangeValidationTest.php
@ -31,6 +31,14 @@ class EntityStateChangeValidationTest extends KernelTestBase {
    'workflows',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * An admin user.
   *
--- a/core/modules/content_translation/tests/src/Functional/ContentTranslationEnableTest.php
+++ b/core/modules/content_translation/tests/src/Functional/ContentTranslationEnableTest.php
@ -20,6 +20,14 @@ class ContentTranslationEnableTest extends BrowserTestBase {
   */
  protected static $modules = ['entity_test', 'menu_link_content', 'node'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_translation/tests/src/Functional/ContentTranslationNewTranslationWithExistingRevisionsTest.php
+++ b/core/modules/content_translation/tests/src/Functional/ContentTranslationNewTranslationWithExistingRevisionsTest.php
@ -25,6 +25,14 @@ class ContentTranslationNewTranslationWithExistingRevisionsTest extends ContentT
    'node',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_translation/tests/src/Functional/ContentTranslationOutdatedRevisionTranslationTest.php
+++ b/core/modules/content_translation/tests/src/Functional/ContentTranslationOutdatedRevisionTranslationTest.php
@ -14,6 +14,14 @@ use Drupal\language\Entity\ConfigurableLanguage;
 */
 class ContentTranslationOutdatedRevisionTranslationTest extends ContentTranslationPendingRevisionTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_translation/tests/src/Functional/ContentTranslationRevisionTranslationDeletionTest.php
+++ b/core/modules/content_translation/tests/src/Functional/ContentTranslationRevisionTranslationDeletionTest.php
@ -14,6 +14,14 @@ use Drupal\language\Entity\ConfigurableLanguage;
 */
 class ContentTranslationRevisionTranslationDeletionTest extends ContentTranslationPendingRevisionTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/content_translation/tests/src/Functional/ContentTranslationUntranslatableFieldsTest.php
+++ b/core/modules/content_translation/tests/src/Functional/ContentTranslationUntranslatableFieldsTest.php
@ -24,6 +24,14 @@ class ContentTranslationUntranslatableFieldsTest extends ContentTranslationPendi
   */
  protected static $modules = ['field_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php
+++ b/core/modules/field/tests/src/Functional/EntityReference/EntityReferenceXSSTest.php
@ -25,6 +25,14 @@ class EntityReferenceXSSTest extends BrowserTestBase {
   */
  protected static $modules = ['node'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/field/tests/src/Functional/FieldDefaultValueCallbackTest.php
+++ b/core/modules/field/tests/src/Functional/FieldDefaultValueCallbackTest.php
@ -22,6 +22,14 @@ class FieldDefaultValueCallbackTest extends BrowserTestBase {
   */
  protected static $modules = ['node', 'field_test', 'field_ui'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/field_ui/tests/src/Functional/FieldUIRouteTest.php
+++ b/core/modules/field_ui/tests/src/Functional/FieldUIRouteTest.php
@ -22,6 +22,14 @@ class FieldUIRouteTest extends BrowserTestBase {
   */
  protected static $modules = ['block', 'entity_test', 'field_ui'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/file/tests/src/Kernel/SaveTest.php
+++ b/core/modules/file/tests/src/Kernel/SaveTest.php
@ -11,6 +11,14 @@ use Drupal\file\Entity\File;
 */
 class SaveTest extends FileManagedUnitTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  public function testFileSave() {
    // Create a new file entity.
    $file = File::create([
--- a/core/modules/forum/tests/src/Functional/ForumUninstallTest.php
+++ b/core/modules/forum/tests/src/Functional/ForumUninstallTest.php
@ -28,6 +28,14 @@ class ForumUninstallTest extends BrowserTestBase {
   */
  protected static $modules = ['forum'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/help/tests/src/Functional/HelpTest.php
+++ b/core/modules/help/tests/src/Functional/HelpTest.php
@ -33,6 +33,14 @@ class HelpTest extends BrowserTestBase {
    'history',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/help/tests/src/Functional/HelpTopicSearchTest.php
+++ b/core/modules/help/tests/src/Functional/HelpTopicSearchTest.php
@ -29,6 +29,14 @@ class HelpTopicSearchTest extends HelpTopicTranslatedTestBase {
    'language',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/help/tests/src/Functional/HelpTopicsSyntaxTest.php
+++ b/core/modules/help/tests/src/Functional/HelpTopicsSyntaxTest.php
@ -29,6 +29,14 @@ class HelpTopicsSyntaxTest extends BrowserTestBase {
    'locale',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/language/tests/src/Functional/LanguageConfigOverrideImportTest.php
+++ b/core/modules/language/tests/src/Functional/LanguageConfigOverrideImportTest.php
@ -27,6 +27,14 @@ class LanguageConfigOverrideImportTest extends BrowserTestBase {
    'config_translation',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/layout_builder/tests/src/Functional/LayoutBuilderOverridesTest.php
+++ b/core/modules/layout_builder/tests/src/Functional/LayoutBuilderOverridesTest.php
@ -15,6 +15,14 @@ use Drupal\node\Entity\Node;
 */
 class LayoutBuilderOverridesTest extends LayoutBuilderTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * Tests deleting a field in-use by an overridden layout.
   */
--- a/core/modules/locale/tests/src/Functional/LocaleLocaleLookupTest.php
+++ b/core/modules/locale/tests/src/Functional/LocaleLocaleLookupTest.php
@ -25,6 +25,14 @@ class LocaleLocaleLookupTest extends BrowserTestBase {
   */
  protected static $modules = ['locale', 'locale_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/media/tests/src/Functional/MediaRequirementsTest.php
+++ b/core/modules/media/tests/src/Functional/MediaRequirementsTest.php
@ -11,6 +11,14 @@ namespace Drupal\Tests\media\Functional;
 */
 class MediaRequirementsTest extends MediaFunctionalTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/media_library/tests/src/FunctionalJavascript/ContentModerationTest.php
+++ b/core/modules/media_library/tests/src/FunctionalJavascript/ContentModerationTest.php
@ -39,6 +39,14 @@ class ContentModerationTest extends WebDriverTestBase {
    'views',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/menu_ui/tests/src/Functional/MenuUiNodeTest.php
+++ b/core/modules/menu_ui/tests/src/Functional/MenuUiNodeTest.php
@ -43,6 +43,14 @@ class MenuUiNodeTest extends BrowserTestBase {
    'content_translation',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/migrate_drupal_ui/tests/src/Functional/MigrateControllerTest.php
+++ b/core/modules/migrate_drupal_ui/tests/src/Functional/MigrateControllerTest.php
@ -23,6 +23,14 @@ class MigrateControllerTest extends BrowserTestBase {
    'views_ui',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/node/tests/src/Functional/NodeAccessCacheabilityTest.php
+++ b/core/modules/node/tests/src/Functional/NodeAccessCacheabilityTest.php
@ -28,6 +28,14 @@ class NodeAccessCacheabilityTest extends NodeTestBase {
    'node_access_test_auto_bubbling',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/node/tests/src/Functional/NodeAccessGrantsCacheContextTest.php
+++ b/core/modules/node/tests/src/Functional/NodeAccessGrantsCacheContextTest.php
@ -22,6 +22,14 @@ class NodeAccessGrantsCacheContextTest extends NodeTestBase {
   */
  protected static $modules = ['node_access_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/node/tests/src/Kernel/NodeAccessLanguageAwareCombinationTest.php
+++ b/core/modules/node/tests/src/Kernel/NodeAccessLanguageAwareCombinationTest.php
@ -28,6 +28,14 @@ class NodeAccessLanguageAwareCombinationTest extends NodeAccessTestBase {
    'node_access_test',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * A set of nodes to use in testing.
   *
--- a/core/modules/node/tests/src/Kernel/NodeAccessLanguageAwareTest.php
+++ b/core/modules/node/tests/src/Kernel/NodeAccessLanguageAwareTest.php
@ -23,6 +23,14 @@ class NodeAccessLanguageAwareTest extends NodeAccessTestBase {
   */
  protected static $modules = ['language', 'node_access_test_language'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * A set of nodes to use in testing.
   *
--- a/core/modules/node/tests/src/Kernel/NodeAccessLanguageTest.php
+++ b/core/modules/node/tests/src/Kernel/NodeAccessLanguageTest.php
@ -20,6 +20,14 @@ class NodeAccessLanguageTest extends NodeAccessTestBase {
   */
  protected static $modules = ['language', 'node_access_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/node/tests/src/Kernel/Views/NodeViewsFieldAccessTest.php
+++ b/core/modules/node/tests/src/Kernel/Views/NodeViewsFieldAccessTest.php
@ -20,6 +20,14 @@ class NodeViewsFieldAccessTest extends FieldFieldAccessTestBase {
   */
  protected static $modules = ['node', 'entity_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/path/tests/src/Functional/PathContentModerationTest.php
+++ b/core/modules/path/tests/src/Functional/PathContentModerationTest.php
@ -31,6 +31,14 @@ class PathContentModerationTest extends BrowserTestBase {
    'content_translation',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/shortcut/tests/src/Functional/ShortcutCacheTagsTest.php
+++ b/core/modules/shortcut/tests/src/Functional/ShortcutCacheTagsTest.php
@ -31,6 +31,14 @@ class ShortcutCacheTagsTest extends EntityCacheTagsTestBase {
    'block',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/shortcut/tests/src/Functional/ShortcutLinksTest.php
+++ b/core/modules/shortcut/tests/src/Functional/ShortcutLinksTest.php
@ -31,6 +31,14 @@ class ShortcutLinksTest extends ShortcutTestBase {
   */
  protected static $modules = ['router_test', 'views', 'block'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Functional/Bootstrap/DrupalMessengerServiceTest.php
+++ b/core/modules/system/tests/src/Functional/Bootstrap/DrupalMessengerServiceTest.php
@ -22,6 +22,14 @@ class DrupalMessengerServiceTest extends BrowserTestBase {
   */
  protected static $modules = ['system_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Functional/Entity/EntityReferenceFieldCreationTest.php
+++ b/core/modules/system/tests/src/Functional/Entity/EntityReferenceFieldCreationTest.php
@ -23,6 +23,14 @@ class EntityReferenceFieldCreationTest extends BrowserTestBase {
   */
  protected static $modules = ['entity_test', 'node', 'field_ui'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Functional/File/FileSaveHtaccessLoggingTest.php
+++ b/core/modules/system/tests/src/Functional/File/FileSaveHtaccessLoggingTest.php
@ -14,8 +14,19 @@ use Drupal\Tests\BrowserTestBase;
 */
 class FileSaveHtaccessLoggingTest extends BrowserTestBase {

+  /**
+   * {@inheritdoc}
+   */
  protected static $modules = ['dblog'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Functional/Menu/LocalTasksTest.php
+++ b/core/modules/system/tests/src/Functional/Menu/LocalTasksTest.php
@ -24,6 +24,14 @@ class LocalTasksTest extends BrowserTestBase {
   */
  protected static $modules = ['block', 'menu_test', 'entity_test', 'node'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Functional/Module/ClassLoaderTest.php
+++ b/core/modules/system/tests/src/Functional/Module/ClassLoaderTest.php
@ -14,6 +14,14 @@ use Drupal\Tests\BrowserTestBase;
 */
 class ClassLoaderTest extends BrowserTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * The expected result from calling the module-provided class' method.
   *
--- a/core/modules/system/tests/src/Functional/Module/GenericModuleTestBase.php
+++ b/core/modules/system/tests/src/Functional/Module/GenericModuleTestBase.php
@ -19,6 +19,14 @@ abstract class GenericModuleTestBase extends BrowserTestBase {
    'help',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Functional/System/DateFormatsLockedTest.php
+++ b/core/modules/system/tests/src/Functional/System/DateFormatsLockedTest.php
@ -13,6 +13,14 @@ use Drupal\Tests\BrowserTestBase;
 */
 class DateFormatsLockedTest extends BrowserTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Functional/Theme/MaintenanceThemeUpdateRegistryTest.php
+++ b/core/modules/system/tests/src/Functional/Theme/MaintenanceThemeUpdateRegistryTest.php
@ -16,6 +16,14 @@ use Drupal\Tests\RequirementsPageTrait;
 class MaintenanceThemeUpdateRegistryTest extends BrowserTestBase {
  use RequirementsPageTrait;

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Functional/UpdateSystem/UpdateScriptTest.php
+++ b/core/modules/system/tests/src/Functional/UpdateSystem/UpdateScriptTest.php
@ -36,6 +36,14 @@ class UpdateScriptTest extends BrowserTestBase {
    'test_another_module_required_by_theme',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Kernel/DateFormatAccessControlHandlerTest.php
+++ b/core/modules/system/tests/src/Kernel/DateFormatAccessControlHandlerTest.php
@ -30,6 +30,14 @@ class DateFormatAccessControlHandlerTest extends KernelTestBase {
    'user',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * The date_format access control handler.
   *
--- a/core/modules/system/tests/src/Kernel/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php
+++ b/core/modules/system/tests/src/Kernel/Entity/EntityReferenceSelection/EntityReferenceSelectionAccessTest.php
@ -48,6 +48,14 @@ class EntityReferenceSelectionAccessTest extends KernelTestBase {
    'user',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/system/tests/src/Kernel/MenuAccessControlHandlerTest.php
+++ b/core/modules/system/tests/src/Kernel/MenuAccessControlHandlerTest.php
@ -29,6 +29,14 @@ class MenuAccessControlHandlerTest extends KernelTestBase {
    'user',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * The menu access control handler.
   *
--- a/core/modules/taxonomy/tests/src/Kernel/Views/TaxonomyFieldVidTest.php
+++ b/core/modules/taxonomy/tests/src/Kernel/Views/TaxonomyFieldVidTest.php
@ -33,6 +33,14 @@ class TaxonomyFieldVidTest extends ViewsKernelTestBase {
    'filter',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * Views used by this test.
   *
--- a/core/modules/toolbar/tests/src/FunctionalJavascript/ToolbarActiveTrailTest.php
+++ b/core/modules/toolbar/tests/src/FunctionalJavascript/ToolbarActiveTrailTest.php
@ -18,6 +18,14 @@ class ToolbarActiveTrailTest extends WebDriverTestBase {
   */
  protected static $modules = ['toolbar', 'node', 'field_ui'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/user/tests/src/Functional/UserRequirementsTest.php
+++ b/core/modules/user/tests/src/Functional/UserRequirementsTest.php
@ -13,6 +13,14 @@ use Drupal\Tests\BrowserTestBase;
 */
 class UserRequirementsTest extends BrowserTestBase {

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/user/tests/src/Kernel/WhoIsOnlineBlockTest.php
+++ b/core/modules/user/tests/src/Kernel/WhoIsOnlineBlockTest.php
@ -18,6 +18,14 @@ class WhoIsOnlineBlockTest extends KernelTestBase {
   */
  protected static $modules = ['system', 'user', 'block', 'views'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * The block being tested.
   *
--- a/core/modules/views/tests/src/Functional/Handler/FieldEntityLinkBaseTest.php
+++ b/core/modules/views/tests/src/Functional/Handler/FieldEntityLinkBaseTest.php
@ -27,6 +27,14 @@ class FieldEntityLinkBaseTest extends ViewTestBase {
   */
  protected static $modules = ['node', 'language'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/views/tests/src/Functional/Plugin/ContextualFiltersStringTest.php
+++ b/core/modules/views/tests/src/Functional/Plugin/ContextualFiltersStringTest.php
@ -23,6 +23,14 @@ class ContextualFiltersStringTest extends ViewTestBase {
    'views_test_config',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/views/tests/src/Functional/Plugin/DisplayPageWebTest.php
+++ b/core/modules/views/tests/src/Functional/Plugin/DisplayPageWebTest.php
@ -31,6 +31,14 @@ class DisplayPageWebTest extends ViewTestBase {
   */
  protected static $modules = ['block', 'views_ui'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/views/tests/src/Functional/UserBatchActionTest.php
+++ b/core/modules/views/tests/src/Functional/UserBatchActionTest.php
@ -25,6 +25,14 @@ class UserBatchActionTest extends BrowserTestBase {
    'views',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/views/tests/src/Kernel/Handler/FieldFieldTest.php
+++ b/core/modules/views/tests/src/Kernel/Handler/FieldFieldTest.php
@ -33,6 +33,14 @@ class FieldFieldTest extends ViewsKernelTestBase {
    'views_entity_test',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/views/tests/src/Kernel/Plugin/RssFieldsTest.php
+++ b/core/modules/views/tests/src/Kernel/Plugin/RssFieldsTest.php
@ -23,6 +23,14 @@ class RssFieldsTest extends ViewsKernelTestBase {
   */
  protected static $modules = ['node', 'field', 'text', 'filter'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/workspaces/tests/src/Functional/PathWorkspacesTest.php
+++ b/core/modules/workspaces/tests/src/Functional/PathWorkspacesTest.php
@ -32,6 +32,14 @@ class PathWorkspacesTest extends BrowserTestBase {
    'workspaces',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/workspaces/tests/src/Functional/WorkspaceTest.php
+++ b/core/modules/workspaces/tests/src/Functional/WorkspaceTest.php
@ -35,6 +35,14 @@ class WorkspaceTest extends BrowserTestBase {
    'workspaces',
  ];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/modules/workspaces/tests/src/Functional/WorkspacesUninstallTest.php
+++ b/core/modules/workspaces/tests/src/Functional/WorkspacesUninstallTest.php
@ -20,6 +20,14 @@ class WorkspacesUninstallTest extends BrowserTestBase {
   */
  protected static $modules = ['workspaces', 'node'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/profiles/minimal/tests/src/Functional/MinimalTest.php
+++ b/core/profiles/minimal/tests/src/Functional/MinimalTest.php
@ -21,6 +21,14 @@ class MinimalTest extends BrowserTestBase {

  protected $profile = 'minimal';

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/profiles/standard/tests/src/Functional/StandardTest.php
+++ b/core/profiles/standard/tests/src/Functional/StandardTest.php
@ -18,6 +18,7 @@ use Drupal\filter\Entity\FilterFormat;
 use Drupal\Tests\BrowserTestBase;
 use Drupal\Tests\RequirementsPageTrait;
 use Drupal\user\Entity\Role;
+use Drupal\user\Entity\User;
 use Symfony\Component\Validator\ConstraintViolation;

 /**
@ -295,6 +296,20 @@ class StandardTest extends BrowserTestBase {
      }

    }
+
+    // Tests that user 1 does not have an all-access pass.
+    $this->drupalLogin($this->rootUser);
+    $this->drupalGet('admin');
+    $this->assertSession()->statusCodeEquals(200);
+
+    User::load(1)
+      ->removeRole('administrator')
+      ->save();
+    // Clear caches so change take effect in system under test.
+    $this->rebuildAll();
+
+    $this->drupalGet('admin');
+    $this->assertSession()->statusCodeEquals(403);
  }

 }
--- a/core/tests/Drupal/FunctionalTests/Theme/ClaroTest.php
+++ b/core/tests/Drupal/FunctionalTests/Theme/ClaroTest.php
@ -26,6 +26,14 @@ class ClaroTest extends BrowserTestBase {
   */
  protected static $modules = ['dblog', 'shortcut', 'pager_test'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/tests/Drupal/KernelTests/Core/Entity/RouteProviderTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Entity/RouteProviderTest.php
@ -25,6 +25,14 @@ class RouteProviderTest extends KernelTestBase {
   */
  protected static $modules = ['entity_test', 'user', 'system'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/tests/Drupal/KernelTests/Core/Render/RenderCacheTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Render/RenderCacheTest.php
@ -21,6 +21,14 @@ class RenderCacheTest extends KernelTestBase {
   */
  protected static $modules = ['user', 'system'];

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
  /**
   * {@inheritdoc}
   */
--- a/core/tests/Drupal/KernelTests/Core/Session/SuperUserPermissionsTest.php
+++ b/core/tests/Drupal/KernelTests/Core/Session/SuperUserPermissionsTest.php
@ -0,0 +1,52 @@
+<?php
+
+namespace Drupal\KernelTests\Core\Session;
+
+use Drupal\KernelTests\KernelTestBase;
+use Drupal\Tests\user\Traits\UserCreationTrait;
+
+/**
+ * Test case for getting all permissions as a super user.
+ *
+ * @covers \Drupal\Core\DependencyInjection\Compiler\SuperUserAccessPolicyPass
+ * @group Session
+ */
+class SuperUserPermissionsTest extends KernelTestBase {
+
+  use UserCreationTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $modules = ['system', 'user'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected bool $usesSuperUserAccessPolicy = TRUE;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp(): void {
+    parent::setUp();
+    $this->installEntitySchema('user');
+  }
+
+  /**
+   * Tests the super user access policy grants all permissions.
+   */
+  public function testPermissionChange(): void {
+    $account = $this->createUser();
+    $this->assertSame('1', $account->id());
+    $this->assertTrue($account->hasPermission('administer modules'));
+    $this->assertTrue($account->hasPermission('non-existent permission'));
+
+    // Turn off the super user access policy and try again.
+    $this->usesSuperUserAccessPolicy = FALSE;
+    $this->bootKernel();
+    $this->assertFalse($account->hasPermission('administer modules'));
+    $this->assertFalse($account->hasPermission('non-existent permission'));
+  }
+
+}
--- a/core/tests/Drupal/KernelTests/KernelTestBase.php
+++ b/core/tests/Drupal/KernelTests/KernelTestBase.php
@ -236,6 +236,15 @@ abstract class KernelTestBase extends TestCase implements ServiceProviderInterfa
    'config_test.dynamic.system',
  ];

+  /**
+   * Set to TRUE to make user 1 a super user.
+   *
+   * @see \Drupal\Core\Session\SuperUserAccessPolicy
+   *
+   * @var bool
+   */
+  protected bool $usesSuperUserAccessPolicy;
+
  /**
   * {@inheritdoc}
   */
@ -571,6 +580,16 @@ abstract class KernelTestBase extends TestCase implements ServiceProviderInterfa
      ->register('cache_factory', 'Drupal\Core\Cache\MemoryBackendFactory')
      ->addArgument(new Reference('datetime.time'));

+    // Disable the super user access policy so that we are sure our tests check
+    // for the right permissions.
+    if (!isset($this->usesSuperUserAccessPolicy)) {
+      $test_file_name = (new \ReflectionClass($this))->getFileName();
+      // @todo Decide in https://www.drupal.org/project/drupal/issues/3437926
+      //   how to remove this fallback behavior.
+      $this->usesSuperUserAccessPolicy = !str_starts_with($test_file_name, $this->root . DIRECTORY_SEPARATOR . 'core');
+    }
+    $container->setParameter('security.enable_super_user', $this->usesSuperUserAccessPolicy);
+
    // Use memory for key value storages to avoid database queries. Store the
    // key value factory on the test object so that key value storages persist
    // container rebuilds, otherwise all state data would vanish.
--- a/core/tests/Drupal/TestSite/Commands/TestSiteInstallCommand.php
+++ b/core/tests/Drupal/TestSite/Commands/TestSiteInstallCommand.php
@ -86,6 +86,17 @@ class TestSiteInstallCommand extends Command {
   */
  protected $langcode = 'en';

+  /**
+   * {@inheritdoc}
+   *
+   * @todo Remove and fix test to not rely on super user.
+   * @see https://www.drupal.org/project/drupal/issues/3437620
+   */
+  public function __construct(string $name = NULL) {
+    parent::__construct($name);
+    $this->usesSuperUserAccessPolicy = TRUE;
+  }
+
  /**
   * {@inheritdoc}
   */
--- a/sites/default/default.services.yml
+++ b/sites/default/default.services.yml
@ -1,4 +1,8 @@
 parameters:
+  # Toggles the super user access policy. If your website has at least one user
+  # with the Administrator role, it is advised to set this to false. This allows
+  # you to make user 1 a regular user, strengthening the security of your site.
+  security.enable_super_user: true
  session.storage.options:
    # Default ini options for sessions.
    #