cas_translated_menu_link_alter overrides destination query strings on menu items [#2938995]

The code below in cas.module (7.x-1.6) at line 455 over writes url querystring data with the current page or current page destination in all menus.

If you wanted to have a menu item that had url of cas?destination=node/4 which displayed to anonymous users, and when clicked redirected them to cas login, and then back to node/4 on successful login, the above mentioned code prevents it.

This hook_alter changes the destination parameter of every menu links with a URL of "cas", to "cas?" plus the result of drupal_get_destintation().

drupal_get_destination() checks for a query string on the current node url via GET, it does not look at the menu item array to see if the array had a destintation set. So if the anonymous user is on node/12 with no destination, all the cas?destination menu items are changed to "cas?destination=node/12". Or if the user is on node/12?destination=node/13, the menu items are replaced with cas?destination=node/13.

I am sure there was a valid reason for this override, but it does not make sense to me to apply it to all menu items globally and disrupt the normal flow of the ?destination= query string which is present in drupal core.

If there is a need to redirect all "cas" urls in menu items somewhere on the way back, then the function should check the $item['options']['query']['destination'] is empty before replacing it in the localized options with the results of drupal_get_destination().

/**
 * Implements hook_translated_menu_item_alter().
 *
 * Append dynamic query 'destination' to several menu items.
 */
function cas_translated_menu_link_alter(&$item) {
  if (strtolower($item['href']) == 'cas') {
    $item['localized_options']['query'] = drupal_get_destination();
  }
  elseif (strtolower($item['href']) == 'caslogout' && !variable_get('cas_logout_destination', '')) {
    $item['localized_options']['query'] = drupal_get_destination();
  }
}

Comment	File	Size	Author
#8	destination-param-override-fix-2938995-8.patch	1.66 KB	bkosborne
#8	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 44 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

23 January 2018 at 21:21

donaldwbabcock created an issue. See original summary.

Comment #2

donaldwbabcock CreditAttribution: donaldwbabcock commented 23 January 2018 at 21:22

Title:	cas_translated_menu_link_alter overrides all query strings on menu items	» cas_translated_menu_link_alter overrides destination query strings on menu items
Issue summary:	View changes

edit for clarity.

Comment #3

donaldwbabcock CreditAttribution: donaldwbabcock commented 23 January 2018 at 21:30

Issue summary:

View changes

edit to fix typos

Comment #4

donaldwbabcock CreditAttribution: donaldwbabcock commented 23 January 2018 at 21:38

This works, but with out understanding the "why" it was in the first place, I am hesitant to submit it as a patch.

/**
 * Implements hook_translated_menu_item_alter().
 *
 * Append dynamic query 'destination' to several menu items.
 */
function cas_translated_menu_link_alter(&$item) {
  if (strtolower($item['href']) == 'cas') {
    // if no destination is set, set one via drupal_get_destination
    if(!isset($item['options']['query']['destination'])) {
      $item['localized_options']['query'] = drupal_get_destination();
    }
  }
  elseif (strtolower($item['href']) == 'caslogout' && !variable_get('cas_logout_destination', '')) {
    $item['localized_options']['query'] = drupal_get_destination();
  }
}

Comment #5

donaldwbabcock CreditAttribution: donaldwbabcock commented 23 January 2018 at 21:42

Issue summary:

View changes

typos and description update

Comment #6

bkosborne

English

New Jersey, USA

CreditAttribution: bkosborne at Princeton University commented 7 February 2018 at 12:53

Version:	7.x-1.6	» 7.x-1.x-dev
Category:	Feature request	» Bug report

I didn't write that original code, but it seems to be there as a convenience. Basically if you had a menu item with /cas in it, the CAS module "helpfully" alters it to add a destination parameter to it to bring users back to the current page they were on when they clicked the link. Without that, the user would typically be brought back to the homepage of your site after authenticating with CAS.

Your approach generally makes sense. We should not overwrite any existing query string parameters on that menu link if they already exist. I'll write a proper patch and see if it passes the tests.

Comment #7

metzlerd CreditAttribution: metzlerd commented 7 February 2018 at 16:14

Yes... The behavior to alter it to make sure it goes back to the login page. I didn't write the code either, but it was probably done because we were having people manually create the "Cas login" link rather than having the module provide dynamically generated links, which would impact caching i guess. Making it only override when destination is not already set does seem like the correct behavior, as long as it doesn't change the behavior of allowing logins to return to the page the user was on when clicking the cas login link.

Comment #8

bkosborne

English

New Jersey, USA

CreditAttribution: bkosborne at Princeton University commented 8 February 2018 at 01:16

Status:

Active

» Needs review

File	Size
destination-param-override-fix-2938995-8.patch	1.66 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 44 pass

@donaldwbabcock, please try this patch.

Comment #9

12 February 2018 at 15:17

bkosborne committed 8cfb322 on 7.x-1.x

Issue #2938995 by bkosborne, donaldwbabcock:...

Comment #10

bkosborne

English

New Jersey, USA

CreditAttribution: bkosborne at Princeton University commented 12 February 2018 at 15:18

Status:

Needs review

» Fixed

I think this is good to commit, doesn't look like I'll get a review. I want to get an annoying UI fix that's currently in dev release, so will create a new release soon.