On the first visit to a Drupal site (using CVS as of yesterday), the user gets an unfriendly 'access denied' message. You can reproduce this reliably using IE 6.0 by deleting cookies and setting the browser to reject all cookies. Any page you visit will be denied.

Diagnosis:

The sess_read() function in user.module does not construct an appropriate user object when there is no session cookie. The query at line 20 fails (the s.sid clause doesn't match any existing session) and the $user object is completely empty.

In this case, the user role is empty and the user_access(whatever) always returns false, leaving your site rather uninviting. :-(

Fix:

(Sorry I'm behind a corporate firewall right now. I can't access CVS so I can't make a patch or post to contrib.)

Insert the following lines at line 23 (i.e. after "$user = db_fetch_object($result);"):

  if (!$user) {
    $result = db_query_range("SELECT u.*, r.name AS role FROM {users} u INNER JOIN {role} r on u.rid = r.rid WHERE u.status < 3", 0, 1);
    $user = db_fetch_object($result);
  }

This provides a fallback query that doesn't rely on any existing session. It creates an anonymous user.

Comments

Eric Scouten’s picture

Eric Scouten CreditAttribution: Eric Scouten commented

Submitted patch #146 to fix this issue. (Same patch as described in original bug report.)

random user@rc6.org’s picture

random user@rc6.org CreditAttribution: random user@rc6.org commented

Confirmed, patched tested and works perfectly under latest CVS upgrade.

Please include this patch ASAP in the main repository, this is a critical fix for a problem that should be adressed immediately.

Kjartan’s picture

Kjartan CreditAttribution: Kjartan commented
Assigned: Unassigned » Kjartan
Kjartan’s picture

Kjartan CreditAttribution: Kjartan commented

Fixed in CVS, please test and close.

Anonymous’s picture

(not verified) CreditAttribution: commented

Automatically closed due to inactivity (marked fixed for 14 days).