Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
So if you don't use the user login block, but instead login from the user/login page. After you successfully authenticate with your OpenID provider, you are redirected to the user/login page which presents you with a "Access denied" message. You are, however, actually logged in; you just can't access user/login when you are logged in.
To reproduce:
- Go to http://dc2009.drupalcon.org/user/login
- login with your OpenID provider
- Wait for your OpenID provider to redirect you back to http://dc2009.drupalcon.org/user/login
- Weep.
Comment | File | Size | Author |
---|---|---|---|
#34 | 365597_34_d6.patch | 2.04 KB | paul.lovvik |
#30 | 365597_30.patch | 1.82 KB | paul.lovvik |
#22 | openid-login-destination_1_d6.patch | 1.31 KB | zyxware |
#16 | openid-login.patch | 1.15 KB | mfb |
#12 | step-1-login.png | 38.45 KB | Francewhoa |
Comments
Comment #1
gdemetI've been able to reproduce this issue on both the Drupalcon DC and Drupalcon Szeged sites, as well as any other Drupal site that I've attempted to login to using OpenID
Comment #2
JohnAlbinHere's a screenshot showing:
Comment #3
Jody LynnThis always happened to me on the DC Szeged site too, because their login link goes to user/login (rather than user).
OpenID modules's form_alter sends you back to drupal_get_destination. That's not safe to do upon changing someone's role. Seems better to just redirect to /user.
Comment #4
Jody LynnComment #6
floretan CreditAttribution: floretan commentedThe problem with the patch from #4 is that it always redirects you to http://example.com/user, which is not always what we want. A specific case is when the login URL has a destination specified, like http://example.com/user/login?destination=node/123 (or http://example.com/user/login?destination=user, which I use as a temporary solution), but that destination would be ignored.
However, I do agree that this absolutely needs to be fixed. We can't ship Drupal with an OpenID client that is broken by default.
Also marked #268485: Returns to login page as a duplicate.
Comment #7
mfbThe attached patch fixes the issue in openid.module.
By the way, my initial thought was that it would be nice to redirect the
user/login
page to theuser
page for authenticated users, but I'm not sure how to do this when we have to deny access so users don't see a "Log in" menu item. We would need some way to deny access and redirect to another page.Comment #8
mfboops. Removed an extra blank line.
Comment #9
Jody LynnThis looks good.
Comment #10
Dries CreditAttribution: Dries commentedThis looks good to me. Wouldn't it be better to make this a generic function in user.module so that it can be reused by other authentication modules? Probably not very important, but could be helpful.
Comment #11
mfbChanged openid_get_destination() to user_login_destination()
Comment #12
FrancewhoaConfirming that patch in #11 works. Thanks mfb
I tested the following.
-Login with OpenID on a fresh Drupal site without content.
-Login with OpenID on a fresh Drupal site with content. Destination node/1
-Simulating user error by trying to log-in with wrong OpenID URL.
Tested with.
-Drupal 7 (September 9, 2009 - 05:11) fresh install.
-Garland theme.
-Windows XP
-Internet Explorer 7
Comment #13
webchickCommitted to HEAD. Thanks!
Comment #14
sunNo tests.
mfb was so kind to not-really-point-me-here, but mention this addition in #578520: Make $query in url() only accept an array. ;)
Comment #15
sunTagging.
Comment #16
mfbadded user/login test to the existing openid login test.
Comment #17
Francewhoa@all: What are 'tests'? I read that on a few issue queues. Could you give me link(s) where I could read more about what tests are? Does 'tests' means tests for the 'SimpleTest' module or Drupal automated patch testing output as 'Testbed results'? Or something else? Thanks.
Comment #18
floretan CreditAttribution: floretan commented@Onopoc: by "tests" we mean automated tests written for the Drupal SimpleTest module (in core since Drupal 7). You can find more info here: http://drupal.org/simpletest
The test addition looks good to me.
Comment #19
FrancewhoaThanks flobruit
Comment #20
webchickThanks for the tests! Committed to HEAD.
Comment #22
zyxware CreditAttribution: zyxware commentedThe same issue exists in Drupal 6.15. I have reworked the patch for Drupal 6.15 and am attaching it here.
Comment #23
jcisio CreditAttribution: jcisio commented6.16 is out and this wasn't fixed :(
Comment #24
Gábor HojtsyWho tested this besides frowning that it is not in release yet?
Comment #25
sunComment #26
old_kking CreditAttribution: old_kking commentedsubscribed.
Comment #27
nilsja CreditAttribution: nilsja commentedi also get redirected to domain.com/user where again the login form is displayed. but without access denied. i'm just not logged in.
i dont understand why this is happening. when i login without openid i am also redirected to /user but logged in!
before i try the patch: do you think it would help in my case? running 6.16...
it could also be related to a session variable problem: http://drupal.org/node/223194
Comment #28
apadernoThat happens to me when the server handling the OpenID account returns something that Drupal is not able to understand, or that understands to be an error.
Comment #29
nilsja CreditAttribution: nilsja commented@kiamlaluno, the strange thing is that on other drupal installations it works fine. and the openid provider i am using is also a drupal with openid provider module...
Comment #30
paul.lovvik CreditAttribution: paul.lovvik commentedI tested this change and it does address the issue. The code looks good except I don't think the function that figures out the login destination should go into the user module. It seems like this is the only known usage, and likely the only code that should use it. That being the case, I did a minor reroll of the patch to move this functionality into the openid module and refactored the comment a bit.
Please disregard this patch
Comment #32
paul.lovvik CreditAttribution: paul.lovvik commentedThe patch in http://drupal.org/node/365597#comment-2542070 was the basis of the patch I just posted and I new see that I have undone the work suggested in comment #10. Sorry about that. I did test the previous patch and the code is fine as is, and it solves my customer's issue.
Comment #33
Gábor HojtsyCan we get your docs additions from this last patch but keep the user_*() function space addition as in the previous patch?
Comment #34
paul.lovvik CreditAttribution: paul.lovvik commentedAbsolutely. Here is the new patch. #22 with the comment from #30. i verified the patch locally.
Comment #35
ksenzeeLooks great.
Comment #36
Gábor HojtsyLooks great, especially glad for the testing feedback; committed.