When someone gets a 403 error, sends a password reset, and logs in with the "forgot my password" password reset one-time login link, they are taken directly to the page on which they initially got access denied— no chance to change their password.

Drupal meanwhile loses the password reset token from the query parameter, and so when the user does go to their account page to change their password, they are asked to enter their old password to set a new one— which is rather inconvenient when they have forgotten their old password, which is why they used the password reset link in the first place.

Comments

mlncn’s picture

This patch solves this issue. In the process:

  • It alters drupal_goto rather than user_login, using less code while adding a check for the password reset token (and setting the destination for later redirect rather than taking over the goto right then).
  • It uses the customerror namespace for storage of the destination in the global session variable.
  • It only sets a destination in the session if the user is logged out (and so has hope of having a different result on going to that access denied location when logging in).

It seems solid at always getting the user back to the page access denied was encountered on after logging in, while letting users who use the password reset one-time login link go to their account page to reset their password first. Tested to ensure the issue solved (in 7.x) in #825860: Logging in on 403 page does not work isn't reintroduced.

mlncn’s picture

Status: Active » Needs review

  • gisle committed ccb6974 on 7.x-1.x authored by mlncn
    Issue #2345967 by mlncn: Fixed redirect to page on which 403 error...
gisle’s picture

Thanks for the patch mlncn!

I've tested it, and it looks fine. It has been committed to the 7.x-1.x-dev branch.

I'd prefer that a third person tests it and gives it the status RTBC before pushing it in a regular release.

gisle’s picture

gisle’s picture

Version: 7.x-1.x-dev » 7.x-1.3
Status: Reviewed & tested by the community » Fixed

Fixed in release 7.x-1.3.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.