Drupal has a built-in status setting for users - blocked or active. When a shibboleth user is blocked, they can still log in but see the following message
Notice: Undefined property: stdClass::$cache in DrupalDatabaseCache->prepareItem() (line 422 of /path/to/drupal/includes/cache.inc)..

They may also see links and tabs implying they can edit or carry out administrative tasks, but when they click them they get the Access Denied page.

Expected behavior is that shib_auth will respect this setting, perhaps showing the user a "you are not authorized to login" message. If this is not possible, add a warning to the status field on user edit form stating that the status setting is only partially effective for shibboleth users. And mention this fact in the documentation.

Comments

bajnokk’s picture

Sure it's a bug. It used to be behaving correctly, so somewhere we re-introduced it.

bajnokk’s picture

It's working with 6.x, so it's a bug affecting only D7.

shafter’s picture

Status:Active» Fixed

Fixed in 7.x-dev.

Commitdiff is a bit messy, but not much changed, just one condition added to shib_login_authmap.

This issue was caused by D6-D7 api changes, and 'external' user managment is a bit hard to handle... While external_login_or_register finalize registrations now, it doesn't check if the user is blocked or not. External_login function still does it, so these functions not very clear here.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

jelo’s picture

Status:Closed (fixed)» Active

This still seems to be an issue in 7.x-4.0. If a user is blocked in my Drupal site and tries to login with Shibboleth, the server tries for a minute or so to access the application before returning an error about too many redirects. In the watchdog I find dozens of entries "Session opened for .".

heatherwoz’s picture

I believe it was fixed in dev, but a release was never made. There hasn't been a new release since Nov. 2011, hope one will be coming soon.