On the first visit to a Drupal site (using CVS as of yesterday), the user gets an unfriendly 'access denied' message. You can reproduce this reliably using IE 6.0 by deleting cookies and setting the browser to reject all cookies. Any page you visit will be denied.
Diagnosis:
The sess_read() function in user.module does not construct an appropriate user object when there is no session cookie. The query at line 20 fails (the s.sid clause doesn't match any existing session) and the $user object is completely empty.
In this case, the user role is empty and the user_access(whatever) always returns false, leaving your site rather uninviting. :-(
Fix:
(Sorry I'm behind a corporate firewall right now. I can't access CVS so I can't make a patch or post to contrib.)
Insert the following lines at line 23 (i.e. after "$user = db_fetch_object($result);"):
if (!$user) {
$result = db_query_range("SELECT u.*, r.name AS role FROM {users} u INNER JOIN {role} r on u.rid = r.rid WHERE u.status < 3", 0, 1);
$user = db_fetch_object($result);
}
This provides a fallback query that doesn't rely on any existing session. It creates an anonymous user.
Comments
Comment #1
Eric Scouten CreditAttribution: Eric Scouten commentedSubmitted patch #146 to fix this issue. (Same patch as described in original bug report.)
Comment #2
random user@rc6.org CreditAttribution: random user@rc6.org commentedConfirmed, patched tested and works perfectly under latest CVS upgrade.
Please include this patch ASAP in the main repository, this is a critical fix for a problem that should be adressed immediately.
Comment #3
Kjartan CreditAttribution: Kjartan commentedComment #4
Kjartan CreditAttribution: Kjartan commentedFixed in CVS, please test and close.
Comment #5
(not verified) CreditAttribution: commentedAutomatically closed due to inactivity (marked fixed for 14 days).