User login under maintenance mode

Indeed this is a good point. Please provide a real patch.

I have submitted your patch (replaced if with else if) so this can be reviewed.

This is still a problem in Drupal 5. The fact that non-admin users can log in under maintenance mode, but cannot log out, and are given no indication of their login/logout status, IMHO makes this clearly a bug. This should be fixed for Drupal 6, and backported to Drupal 5.

I tested the patch and rerolled it for head. I also changed the error message to be the same as the usual offline text so that it won't be a post-string-freeze issue. This is definitely a bug worth fixing because currently if you login as an authenticated user you will not even be able to logout in order to login again as an administrator.

I don't think this message is right, we don't say 'Drupal' in a public facing message, and people suggested we even remove the default site name as Drupal, remove all Drupal path instances and replace them with other references of the concept, etc. IMHO what we can basically do is to not allow login for the user and redirect him to the frontpage, where an appropriate message will show. (Not that that message is a site setting and is themeable even, so it can be anything). We cannot make assumptions here about what message to display to the user.

Here we come. Note that despite I changed the return values of _menu_site_is_offline it's really not expected that anyone else would see the new logoutvalue (as the user is logged out immediately) but even if it does unless there is a check for a literal TRUE nothing changes. I simplified the code a tiny bit while there and written copious amounts of comments and doxygen. Note that even before my patch, the doxygen was incorrect.

Note: the patch was written from Gabor's instructions and have nothing to do with earlier attempts.

Um. Why do we run drupal_get_normal_path in here when menu.inc is only included in a full bootstrap, way past the path bootstrap phase which does it anyways?

I can't stop fixing this function, it has so many bugs... this version will allow user/login not just user. Also code underwent further simplification.

The nonrepeating message breaks encapsulation and bloats the code, because the same in drupal_set_message is shorter and as a side effect its reusable in a BC way. Poor _menu_site_is_offline, not much remained :) I believe the speed impact is nil with just a plus if ran for every message call, which are quite rare anyways (debating this is microoptimization anyways).

This seems like kicking out the already-logged-in users too, which is NICE :) Unsure about the drupal_set_message() change this late, though.

The DSM changes are, deliberately, backwards compatible, as already noted. It'd make more sense to change the logic --ie make nonrepeated default-- but that'd be a too big change this late. And yes, I am kicking already logged in users too.

Jaza wrote in #6:

The fact that non-admin users can log in under maintenance mode, but cannot log out, and are given no indication of their login/logout status, IMHO makes this clearly a bug.

This makes this a critical bug which clearly has to be backported.

@Pancho - this bug doesn't exist in Drupal 5, because the menu system is totally different

@dmitrig01: Oops, okay... ;) Missed that. But still it's critical for D6.

1. I don't like the additional parameter to drupal_set_message(). Can we remove that again? Why would we ever want to repeat a message?

2. if ($return = _menu_site_is_offline()) { -- $return is a bad variable name. How about $offline instead?

3. I don't like that fact that _menu_site_is_offline() returns TRUE, FALSE or 'logout'. The function should return TRUE or FALSE -- anything else is a bit of a hack.

While this patch fixes a bug, it degrades the quality of the code.

Why we would want to repeat a message? I have no idea, I was just keeping current behaviour. If changing that is fine, I am happier. The new patch does an external redirect instead of an internal getting rid of the 'logout' return value.

This actually works here.

Dries: one reason I can imagine to display the same message multiple times is for debugging purposes. When you have PHP errors, it is possible that the same error message pops up for the same line (same byte sequence == same message text) but you have an error with a different data set (ie. you run a loop though the same code with five non-nodes, and you get errors, you should get them five times). Also, developer modules have drupal set message helpers, which set debugging info as messages. If you have different drupal set message codes and not all of them output your message (because they are the same object dumped for example), you might be a bit misdirected there.

I cannot think of any purpose for user facing duplicate messages though. Maybe it is worth moving developer messages to a 'debug' message type, instead of reusing the 'warning' core message type for example, and duplication should be possible there. This last code version rules out all possible duplication with messages.

chx: What does a drupal_goto('logout'); do in offline mode, when there is no access to that path for unprivileged users anyway? This looks like an infinite HTTP redirection recursion to me. Or do I miss something here?

Next attempt. Back to repeatable messages. New trick: we call user_logout directly.

After saving the maintenance mode form:

    * notice: Undefined variable: messages in drupal6/includes/bootstrap.inc on line 768.
    * warning: in_array() [function.in-array]: Wrong datatype for second argument in drupal6/includes/bootstrap.inc on line 768.

OK so I when I try to log in as a user with no privileges, it chucks me back to the "maintenance mode" index and logs me out again. Looks like the dsm was taken out on purpose in previous iterations, that's fine with me - we're in maintenance mode, it says so right here, no need for an extra message.

user/1 and a user with administer site configuration get in as expected.

Logs say "session opened", "session closed" right next to each other for the user who's been chucked out -again, that's what's actually happening so seems fine to me.

so on that basis, rtbc.

I think we should not change message recording behavior now (ie. always disallow repeating messages), so this little API extension looks better. It also helps fix bugs elsewhere (http://drupal.org/node/194010), so committed this one. Thanks.

Better issue link: http://drupal.org/node/194010#comment-657958