Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Filing this as a bug, because while I'm sure it's something in my configuration, it's a common configuration. If it's not a code bug, it's something we should address in doco.
Occasionally my users report that they comment on nodes and the comment is attributed to the wrong user. The nodes where comments are available have panels layout, but the panel just one pane which displays "Node being viewed: content". The pane is set to "no caching." The node itself is rendered by display suite, including the comments area. There's nothing special in that configuration, either.
I can see that there's a second request coming from my browser for /authcache.php?a=comment_node_document_form&r=frag/form-token&o[q]=&v=9ejted , which gets a 200. Stepping through that request with xdebug it looks like it just generates a form token the way it handles all form tokens... nothing special. What's more, the only way it ever seems to work out the UID for the form is from global $user, and I can't think of a case when that would be inaccurate. I have no reports of this problem in any other form, but then, node add/edit forms aren't cached. Only the roles which are allowed to get authcached content have this problem.
On my own local testing environment I cannot reproduce the issue, but on live it's definitely happening intermittently. It's possible that this only that happens after a period of time. I have cache expiry set to a week (form cache expiry too), as well as key expiry.
General info about the setup:
Authcache behind varnish with memcached as the authcache keystore. Using Authcache ajax, not ESI. Memcache has 2 gigs of memory available to it, and memcache stats say there have been no evictions:
[pid] => 6343
[uptime] => 1191108
[time] => 1406039872
[version] => 1.4.4
[pointer_size] => 64
[rusage_user] => 432.769209
[rusage_system] => 774.608241
[curr_connections] => 15
[total_connections] => 329422
[connection_structures] => 29
[cmd_get] => 18170817
[cmd_set] => 1911223
[cmd_flush] => 0
[get_hits] => 15379820
[get_misses] => 2790997
[delete_misses] => 4191783
[delete_hits] => 59842
[incr_misses] => 0
[incr_hits] => 0
[decr_misses] => 0
[decr_hits] => 0
[cas_misses] => 0
[cas_hits] => 0
[cas_badval] => 0
[auth_cmds] => 0
[auth_errors] => 0
[bytes_read] => 4493608831
[bytes_written] => 76055444693
[limit_maxbytes] => 2147483648
[accepting_conns] => 1
[listen_disabled_num] => 0
[threads] => 4
[conn_yields] => 0
[bytes] => 414404761
[curr_items] => 212211
[total_items] => 1911223
[evictions] => 0
I'm using the module's own default.vcl with a some extra logic for HTTP/S redirects... nothing that is being fired on these pages, though. I have also noticed that on all my environments I see the occasional request to /authcache-ajax-get-key with restarts == 0. They get appropriately redirected to the frontpage by authcache's default.vcl logic, but I don't know where those requests are coming from. I don't believe those are impacting this problem though, since I see them on my local dev environment where I can't reproduce the problem.
Some other information that may be pertinent: many of the users on live come through the same IP. It is possible that some are even sharing computers, though they know how to log in and out so I don't believe it's user error.
I'm beating my head against the wall on this one. Any help would be greatly appreciated!
| Comment | File | Size | Author |
|---|---|---|---|
| #9 | interdiff.txt | 3.21 KB | znerol |
| #8 | 2307555-fix-comments-misattributed-8.diff | 12.92 KB | znerol |
| #5 | 2307555-fix-comments-misattributed.patch | 9.96 KB | znerol |
| #3 | 2307555-TEST-ONLY-fix-comments-misattributed.patch | 5.51 KB | znerol |
Comments
Comment #1
znerol CreditAttribution: znerol commentedWhen they say that their comment is attributed to the wrong user, is this before the comment form has been posted or is the comment attributed to the wrong user after posting it?
Comment #2
ohthehugemanatee CreditAttribution: ohthehugemanatee commented@znerol that's exactly what I'm trying to find out from them. So far I haven't been able to duplicate it myself, and no one remembers if the name of the comment form was correct before they posted it. I can definitely tell you that the comments are misattributed AFTER posting, I'm just not sure if it's the case before. Hopefully will have more info on this this week.
Comment #3
znerol CreditAttribution: znerol commentedI now can reproduce this issue. It occurs when something triggers the form-cache on the comment form, for example an Ajax enabled element like a file upload widget. The authors name is cached along with the form in an element of type
#valueand upon submission the cached value is used.The fact that this is only a problem for users with the exact same role-combination (aka Authcache Key) makes this bug even more obscure.
Attached is the test-case which reproduces this situation.
The plan is now to fix the author name from within a submission callback which we can form-alter into the comment form from within the Authcache Comment module.
Comment #5
znerol CreditAttribution: znerol commentedAfter applying the patch be sore to clear
cache_bootstrap, I've moved a hook implementation from Authcache User to Authcache Comment.Comment #6
znerol CreditAttribution: znerol commentedComment #8
znerol CreditAttribution: znerol commentedRelocating the tests from Authcache User to Authcache Comment.
Comment #9
znerol CreditAttribution: znerol commentedComment #11
znerol CreditAttribution: znerol commentedThanks for the report.