On 5.1 it appears there's a rendering issue for the 'Access is denied' page a user will get when attempting to use their 'one time login' link provided in the registration confirmation link before an administrator has approved the account creation. It's a bit hard to explain, please see the attached image. This was observed in the latest version of Opera and Firefox 2.0 as well. The back-end is PHP4 with MySQL 4.1.21. I disabled all non-core modules to see if it was anything related to those and could still reproduce the problem.

Has anyone else seen this before?

Comments

vm’s picture

I remove the one time login from the email on sites that require admin approval of accounts before login.

this can be done, adminsiter -> user settings -> body of welcome email.

pjb’s picture

@VeryMisunderstood: True, that'd solve the problem easily, but having admin-approval for new users isn't really conducive to the size of the userbase I expect for the site. My admin group is already overwhelmed with our current website and having to approve users (with no option to change that currently).

I have the admin approval turned at the moment because we're playing with a development site and I don't need everyone and his brother creating accounts while we're working...so it was sort of by accident that I discovered this issue, and thought I'd share it with the developers.

blcarson’s picture

I've gotten this bug also - had to remove the link from the email but I'd really like to see this fixed.

LAsan’s picture

Version: 5.1 » 7.x-dev
Priority: Normal » Minor

Is this still a bug?

stovicek’s picture

Version: 7.x-dev » 5.10
Priority: Minor » Critical

This bug is in my clean install of 5.10.

Simply pointing your browser to user/reset while not logged in gives the double vision - suggesting a problem with perhaps the user.module?

Steps to recreate:

1. Install Drupal 5.x
2. Create admin account
3. logout
4. point browser to user/reset

drumm’s picture

Version: 5.10 » 5.x-dev
Priority: Critical » Minor

This is not an issue in Drupal 6 and above.

I do not think this is critical since nothing links directly to user/reset.

stovicek’s picture

The user registration process (when email confirmation is required) links to user/reset - which is where I first encountered the problem.

Edit: More specifically, when a user followed the one-time email confirmation link, the resulting page was double vision. The path also happened to be not found, but it seems to me there should never be an instance where double vision occurs. Something is making a bad call somewhere...

nicholasthompson’s picture

Title: 'Double Vision' occurs when user who is not yet approved attempts to use one-time login link. » User Reset callback does not handle Access Denied function correctly
Priority: Minor » Critical
Status: Active » Needs review
StatusFileSize
new555 bytes

The problem stems from the call to drupal_access_denied() at the end of the reset function. That function simply prints out an access denied page, but nothing is done to stop the Drupal menu callback from also printing out its own page contents - which in this case is nothing...

The attached patch simply adds an "exit" call after printing out the access denied.

drumm’s picture

Priority: Critical » Normal
Status: Needs review » Needs work

Some cleanup needs to happen before simply calling exit. See drupal_goto() for an example.

Everywhere else drupal_access_denied is called, the menu callback returns nothing, and the double page does not happen. The menu callback here is drupal_get_form(), so an empty form on a page is rendered.

In Drupal 6, the page is not found instead of access denied. I think the best solution would be checking that all 3 parameters are present, if they are not, then 404.

drumm’s picture

Confirmed on a client's site that this does happen.

dpearcefl’s picture

Status: Needs work » Closed (won't fix)

Considering the lack of activity on this issue and that Drupal v5 is no longer supported by fixes or patches, I am going to close this ticket.