Various one-time-login and validation links don't work with Drupal 6.35+

Under what circumstances are one-time links generated by LoginToboggan? Does LoginToboggan take over the password reset feature from Drupal Core?

Also, far more importantly, thank you David_Rothstein for creating patches for this so quickly.

Works good for me!

rolled patch successfully against version 7.x-1.4 on Drupal 7.35
the one time login link seems to work fine for me too.

many thanks for the quick patch.

2 people saying it's OK. If I'm right this is RTBC.

I've applied the Drupal 6 and Drupal 7 versions of this patch on live sites and tested them both. Worked fine for me. It would be nice to get this out into a release soon.

Thanks much!

I can confirm this patch works well on Drupal.org.

I have test the D7 patch and works fine. I think this patch is ready for be commit to the dev branch.

I can confirm this patch works well.

In my configuration the one-time-logins work without the patch.

• Drupal 7.35
• Ctools 7.x-1.7
• LoginToboggan 7.x-1.4

If I can help with providing extra relevant info, just let me know.

Hello, do you know when login tobogan for drupal 6.35 will be released ? Thank you.

I confirmed the conditions/circumstance in which the 7.35 core update breaks logintoboggan 7.x-1.x-dev as mentioned in comment #6:
The LoginToboggan settings on: /admin/config/system/logintoboggan should be as follows. "Set Password" must be checked and "Non-authenticated role" should be something other than the authenticated role.
The account settings on: /admin/config/people/accounts should have: "Who can register accounts?" set to "Visitors, but administrator approval is required"

Then when a new visitor creates an account. The administrator gets the "'user_register_pending_approval_admin" email with a link that approves the new user and sets the user's role to 'authenticated', and directs the admin to that user page. For example:

new-user-name has applied for an account.

http://website.dev/user/717/edit

The user has automatically received the permissions of the LoginToboggan
validating role. To give the user full site permissions, click the link
below:

http://website.dev/user/validate/717/1427145925/X8gclVT6WhjT7LBshdnqDZSe...

Alternatively, you may visit their user account listed above and remove them
from the validating role.

Without this patch, I'd get this drupal error message:

"Sorry, you can only use your validation link once for security reasons. Please log in with your username and password instead now."

With the patch, this worked as expected. Except in the case that the "Non-authenticated role" was set to "authenticated user", but that seems to be a separate issue, that this field even allows choosing the "authenticated user" role.

Thanks @Dooug for the clarification.

Is there anything preventing this patch from being committed?

This is a quick drush command to check if your D7 site is configured in a way for the bug to exist:
$ drush sqlq "select * from variable where name = 'user_email_verification' or name = 'user_register' or name = 'logintoboggan_pre_auth_role';"
If so, you'll see:

name    value
logintoboggan_pre_auth_role     s:1:"5";
user_email_verification b:0;
user_register   s:1:"2";

the logintoboggan_pre_auth_role will depend on which role is set to be assigned to new users before they are approved.

@dooug,

Thanks so much! Would the query you wrote work equally well for D7 and D6?

@shai, I haven't tried it on D6, only on D7.

Problem exists. D7 version of the patch worked great for me.
Thanks guys!

It seems that the maintainer, @stevecowie, hasn't made any commits since last July. There are 12 issues that are RTBC waiting. I poked him via email.

Also, since this only affects certain use cases of the module, I downgraded the priority level from "critical" to "major".

Can also confirm that this patch works.

I confirm the patch is working...
Before applying the patch, I got this warning

Warning : Missing argument 4 for user_pass_rehash(), called in /var/www/drupal/sites/all/modules/logintoboggan/logintoboggan.module on line 1058 and defined dans user_pass_rehash() (ligne 2386 dans /var/www/drupal/modules/user/user.module).

...when creating a new account.

Pushing back to critical - Although the D7 problem is minor, the base problem here is critical, as user_pass_rehash() gets called with wrong arguments.

Please note that this *also* involves an API change for logintoboggan, as logintoboggan_eml_rehash() has added the uid to its signature. This can break other modules that call logintoboggan_eml_rehash()

The patch at #1 works for me.

Tested the patch and can confirm it's working

Drupal 7.35
LoginToboggan 7.x-1.4

Without the patch, I got this error:
Warning: Missing argument 4 for user_pass_rehash(), called in sites/all/modules/logintoboggan/logintoboggan.module on line 1058 and defined en user_pass_rehash() (líne 2386 /modules/user/user.module).
And the user sees this message:

Sorry, you can only use your validation link once for security reasons.

After applying the patch, the error is gone, but when the user registers, there is no validation link whatsoever.

Please click the following link:

Thanks!

There is no dblog error.

I updated Drupal to 7.36, removed the logintobbogan folder and applied the patch again, but the issue is still there: the user receives the validation link http://www.example.com/user/validate/9946/1428323176/Ewh9kWMV9eyQoqz1NvB... but when the user clicks the link, the following error arises: Notice: Undefined variable: uid en logintoboggan_eml_rehash() (line 1058 de /sites/all/modules/logintoboggan/logintoboggan.module).

Just to check if I am doing it right, these are the commands I made:

cd sites/all/modules
rm -rf logintoboggan/
drush dl logintoboggan
cd logintoboggan
wget https://www.drupal.org/files/issues/logintoboggan-drupal-7.35-compatibility-2455049-1.patch
patch < logintoboggan-drupal-7.35-compatibility-2455049-1.patch
| patching file logintoboggan.module
| Hunk #1 succeeded at 1051 (offset -3 lines).
| patching file logintoboggan.validation.inc

@federico,

As far as I know, in order to apply your patches you should download your module using git at the version control tab.

So it should looks something like this...

cd sites/all/modules
rm -rf logintoboggan/
git clone --branch 7.x-1.x http://git.drupal.org/project/logintoboggan.git
cd logintoboggan
wget https://www.drupal.org/files/issues/logintoboggan-drupal-7.35-compatibility-2455049-1.patch
git apply logintoboggan-drupal-7.35-compatibility-2455049-1.patch

If you have any other question about applying patches please check this video or this article.

@federico I don't see anything wrong with you applying the patch directly without git. From comment #29 it looks as if the patch applied for you. Sometimes (depending on your OS) you may have to use patch -p1 < filename.patch
You don't really need a git clone unless you are creating a patch.

Thanks, I can confirm that the patch was applied. Today, I tested the module again, creating and validating a new account, and the issue seems to be solved, i.e. the user could validate the account. I don't know why it didn't work 2 days ago but it's working now for me.

Patch works for me

+1 RTBC. Tested the 7.x patch.

@stevecowie - We would very much appreciate a commit and new release.

Patch applied and pushed. Apologies to all of you for keeping you waiting on this.

Could you please make a new release (per the "crititical bug-fix" criterium)?

I can confirm 7.x-1.x-dev works great and a new stable release would be great for production sites. Thank you very much for your work!

Hello all, @stevecowie has approved my co-maintainer status, so I will be able to support him to get this issue queue into shape. I'll make it my goal to get this into 6.x-1.x-dev this week and roll new stable releases.

Thank you @dooug! This is quite a critical issue.

This was indeed committed, but there was a typo in the issue number in the commit, so the project manage didn't comment here. Here's the commit:
http://cgit.drupalcode.org/logintoboggan/commit/?id=75eff86

Is this fixed then?

Fixed in D7. Issue open for the D6 patch referenced in #37.

Changing the title since the D7 patch have been committed.

Please review and confirm that this applies and resolves this issue in D6.35.

I tested this solution in Drupal 6.35, however I applied the patch manually because the copy of LoginToboggan that is on the site was apparently customized in some way when the site was built. (It wasn't me!) So, this fixed the one-time login link issue that I was having, but not sure if this qualifies towards RBTC since it wasn't on an official version of the D6 module.

The patch has been working fine for us on D6 for over a month.

To avoid any further delay, and since this patch was well reviewed for D7 and is nearly the same in D6, it sounds safe to commit.

Thanks again to @David_Rothstein for the patches!

Hello,

The patch seems to be have applied to the latest stable version for 7.x-1.5 but it dosen't seem to work as I got the same error message. Do this module require any updates from example ctools? My error message is still saying "For security reasons, the confirmation link is used only once .".

I am running the latest Drupal core 7.39

Thank you,