Redirect after password expiry fails for modal forms login [#2583109]

Steps to reproduce:
1. Enable password policy and add password expiry rule.
1. Enable modal forms for login form.
2. Log in using the user whose password has expired.
3. Ideally the user should be redirected to account edit form (something like this - user/25/edit/account?destination=node/30).
4. Redirection fails and import statements are displayed in popup.

In password policy module file, in function _password_policy_go_to_password_change_page, drupal_goto is used to redirect user to password change screen.

I tried to replace drupal_goto with following code:

$password_change_path = _password_policy_get_preferred_password_change_path();
ctools_include('modal');
ctools_include('ajax');
$output = array();
ctools_add_js('ajax-responder');
$output[] = ctools_modal_command_dismiss();
$output[] = ctools_ajax_command_redirect($password_change_path, 2000);
print ajax_render($output);

But this does not work. I understand this is not a complete solution. We have to add a check, if modal forms is enabled for login form then only ctools code should run, goto should work in other cases.

I have posted issue earlier here: https://www.drupal.org/node/2541194

Comment	File	Size	Author
#11	password_policy-modal_forms_support-2583109-11-d7.patch	1.19 KB	pooja.sarvaiye
#11
#8	password_policy-modal_forms_support-2583109-8-d7.patch	1.19 KB	pooja.sarvaiye
#8
#5	password_policy-modal_forms_support-2583109-5.patch	1.09 KB	pooja.sarvaiye
#5

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

8 October 2015 at 11:38

pooja.sarvaiye created an issue. See original summary.

Comment #2

pooja.sarvaiye CreditAttribution: pooja.sarvaiye commented 8 October 2015 at 11:39

Title:

Redirect after password expiry in fails for modal forms login

» Redirect after password expiry fails for modal forms login

Comment #3

pooja.sarvaiye CreditAttribution: pooja.sarvaiye commented 8 October 2015 at 11:42

Issue summary:

View changes

Comment #4

rteijeiro CreditAttribution: rteijeiro at Tieto commented 12 October 2015 at 09:33

Comment #5

pooja.sarvaiye CreditAttribution: pooja.sarvaiye at Tieto commented 13 October 2015 at 06:37

File	Size
password_policy-modal_forms_support-2583109-5.patch	1.09 KB

Comment #6

neerajskydiver CreditAttribution: neerajskydiver as a volunteer and at Valuebound commented 13 October 2015 at 09:09

Status:

Active

» Needs review

Comment #7

13 October 2015 at 09:10

Status:

Needs review

» Needs work

The last submitted patch, 5: password_policy-modal_forms_support-2583109-5.patch, failed testing.

Comment #8

pooja.sarvaiye CreditAttribution: pooja.sarvaiye at Tieto commented 13 October 2015 at 09:56

File	Size
password_policy-modal_forms_support-2583109-8-d7.patch	1.19 KB

Comment #9

pooja.sarvaiye CreditAttribution: pooja.sarvaiye at Tieto commented 13 October 2015 at 10:12

Status:

Needs work

» Needs review

Comment #10

13 October 2015 at 10:13

Status:

Needs review

» Needs work

The last submitted patch, 8: password_policy-modal_forms_support-2583109-8-d7.patch, failed testing.

Comment #11

pooja.sarvaiye CreditAttribution: pooja.sarvaiye at Tieto commented 13 October 2015 at 10:26

File	Size
password_policy-modal_forms_support-2583109-11-d7.patch	1.19 KB

Comment #12

pooja.sarvaiye CreditAttribution: pooja.sarvaiye at Tieto commented 13 October 2015 at 10:27

Status:

Needs work

» Needs review

Comment #13

amolnw2778 CreditAttribution: amolnw2778 as a volunteer and at Tieto commented 15 October 2015 at 07:45

@pooja One minor change - First letter of comment needs to be uppercase. // prompted for their current password on password change page unnecessarily.

Comment #14

AohRveTPV CreditAttribution: AohRveTPV commented 15 October 2015 at 22:47

Is there a way to do this without adding module-specific integration code? Password Policy should not need to know about other modules like "Modal forms (with ctools)". This line is specific to that module:

if (variable_get('modal_forms_login')) {

Such code adds complexity and makes the module difficult to test.

Comment #15

pooja.sarvaiye CreditAttribution: pooja.sarvaiye at Tieto commented 16 October 2015 at 05:41

@AohRveTPV, I am also not very happy with the solution. But I could not figure out a better way to solve this. I uploaded patch here so that others can have a look and suggest some better approach. Any suggestions are most welcome.

Comment #16

AohRveTPV CreditAttribution: AohRveTPV commented 17 October 2015 at 16:32

How do you "Enable modal forms for login form."?

I installed the Modal Forms module on a fresh Drupal site, but I don't see how to do it.

Steps of how to configure Modal Forms to reproduce the problem on a fresh Drupal site would be helpful.

Comment #17

pooja.sarvaiye CreditAttribution: pooja.sarvaiye at Tieto commented 19 October 2015 at 05:52

You will have to add a password policy to expire user accounts after some days of inactivity. Then try to login using the expired account. You may alter last login date manually in db, for testing purpose.
The steps are mentioned in the issue description.

Comment #18

AohRveTPV CreditAttribution: AohRveTPV commented 22 October 2015 at 22:18

"1. Enable modal forms for login form." <-- How do you do this?

Comment #19

pooja.sarvaiye CreditAttribution: pooja.sarvaiye at Tieto commented 26 October 2015 at 06:44

You have to turn on Enable for login links option here - admin/config/development/modal_forms

Comment #20

AohRveTPV CreditAttribution: AohRveTPV commented 23 November 2015 at 14:52

Status:

Needs review

» Postponed (maintainer needs more info)

Thanks, I am able to reproduce the problem now. I hadn't realized you have to create a link to user/login.

Looks like the problem is Modal Forms relies on a call to modal_forms_login() when the user is returned to user/login after submitting the login form. That function calls Ctools functions that close the modal window and perform the redirection. However, Password Policy calls drupal_goto() before that callback is executed, which attempts the redirection without closing the modal window.

I am thinking it is a problem that should be fixed in Modal Forms. Modal Forms should not assume that another module will not redirect to a different page. That is, Modal Forms should not assume the user will be returned to user/login after submitting the login form.

Again, adding any code like if (<modal_forms enabled>) to Password Policy is very undesirable. Password Policy should not need to know about other contributed modules.

One possible solution is to use hook_drupal_goto_alter() to execute the Ctools calls as does modal_forms_login(). The following seems to work, but I do not know whether it is secure or fully correct. Please consider it a proof of concept.

/**
 * Implements hook_drupal_goto_alter().
 */
function modal_forms_drupal_goto_alter(&$path, $options, &$http_response_code) {
  if (arg(0) == 'modal_forms' && arg(2) == 'login') {
    ctools_include('modal');
    ctools_include('ajax');
    $output = array();
    $output[] = ctools_modal_command_dismiss(t('Login success'));
    $output[] = ctools_ajax_command_redirect($path);
    print ajax_render($output);
    drupal_exit();
  }
}

That could be put in a separate module to avoid hacking changes to Modal Forms or Password Policy.

Would this approach be a solution to the problem?