Problem/Motivation
If the authenticated user doesn't have access to post in the forum because the Post Comments permission is not checked, then anonymous users still see an invitation to log in and post content -- which is misleading.
Proposed resolution
Remove the link above forum tables inviting anonymous users to log in when the authenticated user role doesn't have this access.
Remaining tasks
Review patch submitted at #66 based on #40's proposed resolution.
User interface changes
Per #40 See Proposed Resolution
Check implementation of patch submitted at #66 based on #40's proposed resolution.
API changes
None
Original report by [username]
If the authenticated user doesn't have access to post in the forum (in other words, it's read-only), then anon users still see an invitation to log in and post content -- which is misleading.
Summary updated as far as #66
Comment | File | Size | Author |
---|---|---|---|
#88 | Screen Shot 2021-07-11 at 5.07.10 PM.png | 20.92 KB | pameeela |
#69 | interdiff.txt | 2.47 KB | heddn |
#69 | drupal-login-to-post-new-content-link-953214-69.patch | 2.63 KB | heddn |
#67 | anonymousForum-noAccess.png | 7.71 KB | heddn |
#67 | authForum-noAccess.png | 11.39 KB | heddn |
Issue fork forum-953214
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
drupal-ite CreditAttribution: drupal-ite commentedI am experiencing the same thing. I'd like to know how to remove those words. I have a view only forums that I don't want visitors trying to login to. Is there a simple solution that I'm missing here?
Comment #2
ghostspy CreditAttribution: ghostspy commentedIn file advanced_forum/includes/core-overrides.inc you must commented lines 411–422
/* if (empty($forum_types)) {
// The user is logged-in; but denied access to create any new forum content type.
if ($user->uid) {
$forum_types['disallowed'] = array('title' => t('You are not allowed to post new content in forum.'));
}
// The user is not logged-in; and denied access to create any new forum content type.
else {
$forum_types['login'] = array(
'title' => t('Login to post new content in forum.', array('@login' => url('user/login', array('query' => drupal_get_destination())))),
'html' => TRUE);
}
} */
This is the trick for your request.
Comment #3
drupal-ite CreditAttribution: drupal-ite commentedThanks for the reply. First thing I noticed was your reference to "advanced_forum" which I'm not using. But I took your idea and looked for the code that would be putting that text in there with the hopes of following the same principle. However, I couldn't find anything like it. Thus, not sure here. I next installed advanced_forum (and the other necessary modules that goes along with it), but turns out that the advanced_forum didn't give me any look that i wanted for the site. Thus, I removed those modules. Where in the "core"??? forum module would I change it so that annony users wouldn't have the invitation to log-in and post comments? thanks in advance.
Comment #4
ghostspy CreditAttribution: ghostspy commentedI am sorry. I was solving the same problem in advanced forum and I didn't realise you think just core forum module.
So in file forum/forum.module look for lines 679–688 and comment them like above.
"if (empty($forum_types)) {..."
Comment #5
bclinton CreditAttribution: bclinton commentedJust a note: in Drupal 7 (version 7.8) the "Log in to post new content in the forum." message is on line #201 of modules/forum/forum.module
of course that could always change so just search for it.
Comment #6
larowlanThis to get fixed in 8.x then backported
Comment #7
skottler CreditAttribution: skottler commentedThe permissions for the forum module are not granular enough to allow this functionality. This is unfortunate because it is clearly misleading.
I am marking this issue closed.
Comment #8
joachim CreditAttribution: joachim commentedSorry, but I don't see how the permissions don't allow this.
It's as simple as this surely?
1. Can the user post content?
Yes:
show the 'post content' link.
No:
2. Is the user anonymous & can the authenticated user role post comments?
Yes:
Show the 'login to post new content in the forum' link
No:
Show nothing.
Comment #9
larowlanWhat happens if it's more complicated than just the authenticated user? Eg a specific role is required?
Comment #10
joachim CreditAttribution: joachim commentedIt's impossible to know what role the current anonymous user will have one they have logged in -- so that's a case we can't cover unfortunately.
I would say it's better to not tell the user about something they can do if they log in, than to tell them about something they won't be able to do even if they do log in.
Comment #11
Pat Redmond CreditAttribution: Pat Redmond commentedThe core forum module doesn't allow you to set a forum as 'read-only'. As a result you can't be sure whether a user could post to the forum.
You need to display the link in case the user (when logged in) is able to post to the forum. Otherwise they will be looking for a way to log in.
Comment #12
joachim CreditAttribution: joachim commentedI think you may have misunderstood the issue here. No individual forum can be set as read-only, but it's possible to make the whole of the forums effectively read-only by not giving posting permission to the 'authenticated user' role.
Comment #13
mkadin CreditAttribution: mkadin commentedI see Pat Redmond's point in #11 though as it related to #9. Let's say that only users with role foo can post to the forum. There's no way to know if an anonymous user is going to have the foo role when they log in, so its impossible to tell if logging in will or will not give an anonymous user the right to post.
For the specific case of authenticated users not being allowed to post, we probably should drop the the log in link since all users won't be able to post, regardless of any other roles. Right?
I'll put together a patch.
Comment #14
mkadin CreditAttribution: mkadin commentedNot sure if this is the best approach. Is the authenticated user role always 2? Are there other permissions to check besides 'create forum content'? Is there a faster or simpler way of determining if authenticated users have the forum creation permission?
Please review.
Comment #16
larowlanWith core forum there are the following configurations:
a) Anonymous users can post in the forum
or
b) Users must login to post in the forum
there is no
c) Anonymous users and authenticated users cannot post in the forum - if so what's the point of a forum - no-one can post in it!
Yes I know you can have a role that does allow posting (eg 'Forum user') but before the user logs in you can't ascertain whether or not they have this role and hence can't decide whether or not to show the link.
If the issue here is with other contrib modules that control forum access then we should be approaching this from a theming/override angle to ensure that themers/contrib modules can remove these links on a site-by-site specific use case - the kind of places where the role configuration is pre-known.
Comment #17
larowlanThe link itself is added in hook_menu_local_tasks_alter which any other module is welcome to override and remove.
The said module would also have to implement hook_module_implements_alter to ensure it ran after forum module or hook_install to set it's module weight in the system table lower than that of forum or worst case scenario, give it a machine name that comes after 'forum' in the alphabet!
I think we can close this once and for all. The default behaviour meets most use cases and the specific behaviour requested can be achieved with a contrib/custom module.
Comment #18
joachim CreditAttribution: joachim commented> If the issue here is with other contrib modules that control forum access then we should be approaching this from a theming/override angle to ensure that themers/contrib modules can remove these links on a site-by-site specific use case - the kind of places where the role configuration is pre-known.
No, the case here is that with Core permissions it's possible to have messages that tell outright lies to the anonymous user.
> Yes I know you can have a role that does allow posting (eg 'Forum user') but before the user logs in you can't ascertain whether or not they have this role and hence can't decide whether or not to show the link.
You can have forums that are read-only, precisely. On the matter deciding whether or not to show the link, in #10 I said:
>I would say it's better to not tell the user about something they can do if they log in, than to tell them about something they won't be able to do even if they do log in.
In other words, lie by omission rather than actually lying.
Comment #19
mkadin CreditAttribution: mkadin commentedI agree with #17 and #18, if a module wants to remove the link, its not a difficult thing to do using hook_menu_local_tasks_alter or through any number of theme-layer ways of hiding it. And if we're 100% sure that no one can post to a forum, then we shouldn't say that logging in will allow them to. This is a fix up of the patch from #14 that failed.
In this patch:
If authenticated users don't have permissions to add forum posts, no "login to post" link is shown.
If authenticated users in general don't have permissions to add forum posts, but a specific role does, no "login to post" link is shown. This may be the only option as there's no way to tell if the user will have the role that allows them to post once they've logged in. We could have it display something like "logging in MAY allow you to post on this forum" in this case.
Comment #20
mkadin CreditAttribution: mkadin commentedComment #21
xjmThanks @mkadin. #19 looks like a reasonable solution to me, although it sounds like not everyone is convinced this is a desirable change?
Few minor points for code style cleanup:
Couple minor things here; the comment is wrapping a little too early, there's an extra space after the period, and "Authenticated" does not need to be capitalized. I'd suggest:
// If authenticated users may post new topic, provide a login link.
We should have spaces around
=
and after,
generally. Reference: http://drupal.org/coding-standards#functcallAlso, we should be using the constant
DRUPAL_AUTHENTICATED_RID
rather than the magic-numbery2
.Also, we should add an automated test for this if we do add it. Finally, I'm on the fence as to whether this change is backportable... it does change the behavior a bit, and existing modules or themes might expect the link to be there for some reason.
Comment #22
mkadin CreditAttribution: mkadin commentedThanks for the review xjm, I've made the style changes, but am holding off on writing the test until we're sure this is what we want to implement. Style-corrected-patch attached.
Comment #23
xjmThanks for the cleanup! Easier to read now. :)
Tagging (since any fix will need tests). Not sure how I missed it earlier.
Comment #24
philosurfer CreditAttribution: philosurfer commentedComment #25
DevElCuy CreditAttribution: DevElCuy commentedAdding tag "dlatino" for reference of the Drupal Latino community.
Comment #26
tomogden CreditAttribution: tomogden commentedThis patch works for me. Let's move on.
Comment #27
DevElCuy CreditAttribution: DevElCuy commentedAs per comment at #26
Comment #28
xjmThanks! However, this still needs tests. See #23.
Comment #29
shawngo CreditAttribution: shawngo commentedI've rerolled the patch with the DRUPAL_AUTHENTICATED_RID references and added the tests.
I added the test in its own file since I wasn't quite sure if it belongs in one of the existing test files. I couldn't create a forum topic without creating a user either so that is part of the test.
Comment #30
shawngo CreditAttribution: shawngo commentedI meant to upload the test-only patch first as described here http://drupal.org/node/1468170#steps
Comment #32
shawngo CreditAttribution: shawngo commentedUploading both into same comment with updated file names.
Comment #33
shawngo CreditAttribution: shawngo commentedOk, wondering if setting this to needs review will trigger the automated tests.
Comment #34
markwk CreditAttribution: markwk commentedI tested it out and it looks great.
Comment #35
Barrett CreditAttribution: Barrett commentedLooks good to me. The patch accomplishes its stated purpose and all Forum tests still pass after it is applied.
Comment #36
markwk CreditAttribution: markwk commentedDon't want to muddy the waters but at Capital Camp in DC and backported this patch and test into Drupal 7. Attached as a zip for now.
Comment #37
tim.plunkettRerolled to fix the indentation. No non-space characters were changed by this.
Comment #38
shawngo CreditAttribution: shawngo commentedUpdated the following:
In forum.module - updated array_key_exists to use isset. This was brought up at MWDS.
In ForumAnonymousTest.php - made changes to adhere to coding standards and updated documentation.
I've attached an interdiff for more details.
Comment #39
valthebaldSteps to reproduce/confirm that patch is working:
1. Fresh-install d8-standard
2. Enable forum module
3. Create test user with authenticated role
4. As anonymous user, go to forum/1 - Prompt to login is in place, which is incorrect (by default, there's no permission to create new topics
5. Apply patch
6. As anonymous user, go to forum/1 - Prompt has gone
7. Give create forum content permission to authenticated user
8. As anonymous user, go to forum/1 - Prompt is back
I RTBC that, since patch is pretty straightforward
Comment #40
catchWe have a similar check in comment module, but it's done differently:
It'd be good to do the following:
- find out which of these is the most performant, we could possibly even remove one of the ways of getting this information.
- move this logic to a helper in user module so that other modules can use it. Something like user_role_has_permission($role, $permission)?
Comment #41
pasive CreditAttribution: pasive commented#38: drupal-953214-38.patch queued for re-testing.
Comment #43
fionad CreditAttribution: fionad commented#38: drupal-953214-38.patch queued for re-testing.
Comment #45
SarahSBranham CreditAttribution: SarahSBranham commentedApplied patch #38: drupal-953214-38.patch using steps from comment 39 and patch worked as expected.
Comment #46
valthebald#45: well, test bot apparently thinks different :)
Comment #47
SarahSBranham CreditAttribution: SarahSBranham commentedI just tested it manually, and it worked. Failures found by test bot should be addressed. :)
Comment #48
ifux CreditAttribution: ifux commentedHi there,
first, there was a problem with the anonymous test. in d8 the setUp method does not need the modules, they are given in a static variable
second, I implemented the stuff mention in post #40 by catch
writing the user_role_has_permission method I realized 2 things:
greets ifux
Comment #50
ifux CreditAttribution: ifux commentedgrrr, revert problem
Comment #51
carsonblack CreditAttribution: carsonblack commentedIf the patch in http://drupal.org/node/1853072#comment-6813072 is applied this patch will not apply cleanly. Without the other issue patch applied this patch does apply cleanly. I think these issues are somewhat related because they deal with the same button and how it reacts to anonymous users.
Comment #52
Anonymous (not verified) CreditAttribution: Anonymous commentedI've taken a first go at merging patches #1853072-6: Remove forum_menu_local_tasks_alter() hack and instead add links in ForumController::build and #953214-50: 'Login to post new content in the forum' button assumes auth users have permission to post. I've attached an interdiff file but first time created one so not sure if it worked ok.
If authenticated user has access to post new forum content and visitors can register on the site the action button now redirects to /user and looks like this:
...and if Administrator only registrations then it redirects to /user/login and looks like this:
The buttons are still somewhat confusing as you could have comments on forum topics where you can post, this just checks for posting of topics.
Comment #54
Anonymous (not verified) CreditAttribution: Anonymous commentedMoving messages into block as per @sun's response on other issue #1853072-12: Remove forum_menu_local_tasks_alter() hack and instead add links in ForumController::build
Comment #56
Anonymous (not verified) CreditAttribution: Anonymous commentedHad introduced dependency on block module which also affected other tests. Re-trying.
First posted & tested on #1853072-18: Remove forum_menu_local_tasks_alter() hack and instead add links in ForumController::build.
Comment #57
Anonymous (not verified) CreditAttribution: Anonymous commentedSetting to "needs review".
Comment #59
Anonymous (not verified) CreditAttribution: Anonymous commented#56: forum_access_messages-1853072-18-953214-56.patch queued for re-testing.
Comment #60
wouters_f CreditAttribution: wouters_f commentedI tried to apply this patch, but it did not work on a recent core.
I tried rebasing, but had to solve some conflicts manually.
This might need some testing/review as it is my first reroll.
Comment #62
wouters_f CreditAttribution: wouters_f commentedGot merge conflict out of file that caused fail.
Comment #62.0
wouters_f CreditAttribution: wouters_f commentedUpdated issue summary
Comment #64
janoka CreditAttribution: janoka commentedvariable_set() function was deprricated.
The correct function now is \Drupal\Core\Config::set()
The global $user was deprecated.
Please use Drupal::currentUser().
We have found lines with much more char than 80 character limit.
Comment #65
chintan.vyas CreditAttribution: chintan.vyas commented#56: forum_access_messages-1853072-18-953214-56.patch queued for re-testing.
Comment #66
chintan.vyas CreditAttribution: chintan.vyas commentedThis patch resolves Login link issue for Forums.
I used @catch suggestion at #40 and added user_role_has_permission($rid, $permission) in user module.
I also made changes in comment module to use user_role_has_permission instead of user_roles which IMO seems more performant then user_roles which is currently being used in comment module. user_roles uses join query while user_role_permissions uses query without join.
cheers
Comment #66.0
chintan.vyas CreditAttribution: chintan.vyas commentedUpdated issue summary.
Comment #67
heddnAttached are screenshots. Even though #1853072: Remove forum_menu_local_tasks_alter() hack and instead add links in ForumController::build is still in progress, so this should be RTBC.
Anonymous
Authenticated
Comment #67.0
heddnAdding information about submitted patch based on #40 proposed resolution.
Comment #68
alexpottI think we should just replace calls to this function with
Comment #69
heddnAddressing comments in #68
Comment #70
alexpottNeed to change this to - this now references an function that does not exist
Plus where are the tests
Comment #71
heddnSo I just did a thorough review of the entire issue. I don't think that the solution proposed will actually work. What if authenticated user role doesn't have permission to post to a forum or post a comment? What if that is reserved to a power user role? We'd effectively remove a login link. This really should be resolved, either through contrib theming or post user login and give an appropriate message. I haven't checked, is such a message currently available?
And if we agree that the link should remain visible, then we should make sure that comment and forum are in sync. Currently comment checks that the authenticated role has the permission while forum always prints the login link.
Comment #72
joachim CreditAttribution: joachim commented> What if authenticated user role doesn't have permission to post to a forum or post a comment? What if that is reserved to a power user role? We'd effectively remove a login link.
Yes. But it's a trade-off:
A. Users see a login link, they log in, and the find they can't post comments. They were lied to.
B. Users whose accounts have a power user role don't get a handy login link.
We have to pick one.
Comment #73
heddnHmm, I see your logic. What if we don't display a login URL at all, ever? And leave it to contrib modules/themes to add as they see fit? Most sites I build these days have a handy login link in the top right corner of the site making the additional login link semi-redundant.
C. Provide a message to users that they do not have access to post.
Comment #74
bwooster47 CreditAttribution: bwooster47 commentedCan someone briefly summarize the best way to remove this "Login to post new content in the forum." link?
I need to make my site static, and that link is interfering with making a static copy (see https://www.drupal.org/node/27882 for steps that normally work, only the Forum module is a problem).
Since I'm doing this to create a static copy, any simple method, even if it is hacking code, would work, and I suspect one of the comments above has the answer, just wondering if there is something very simple possible here.
Comment #75
larowlanhook_menu_local_actions_alter would be my guess
Comment #76
bwooster47 CreditAttribution: bwooster47 commented[deleted - wrong post]
Moved to Comment: Creating a static archive
Comment #77
tibbsa CreditAttribution: tibbsa commentedI don't understand "option C". If the theory was to display a message (drupal_set_message-style) after logging in saying, "oh, sorry, you still can't post", I don't see how that works. Just because a person logs in from a page where comments exist does not mean they logged in "with the intention" of posting a comment.
Insofar as standard basic behaviour is concerned, I'd be inclined to remove this message from forum and comment, or make its presence configurable on the admin side so that it can be enabled on sites where that makes logical sense but turned off on sites where it does not. In the majority of my development sites, "does not" has fit the bill, but there are exceptions.
The reality is that neither module could know in advance whether logging in will be sufficient to do the job. Even relying on the "authenticated user" role might not be enough, given the possibility of that being overridden somewhere along the way.
Fundamentally, I can't imagine that on MOST sites, this would be "the only way" or the only "obvious" way to log in in the first place. This is particularly true if only 'super users' have the permission in any event. Those 'super users' probably don't desperately need the handy login link.
Comment #78
cmanalansan CreditAttribution: cmanalansan commentedI am removing the Novice tag from this issue because:
I’m using this documentation as a source: https://www.drupal.org/core-mentoring/novice-tasks#avoid
Comment #87
pameeela CreditAttribution: pameeela commentedComment #88
pameeela CreditAttribution: pameeela commentedBeen thinking about this and I agree with #73 that this should just be removed. Core doesn't have any other specific calls to action like this for anonymous users, and I can see why it existed, but it just doesn't make sense anymore.
If you want to add a call to action to your site you can do it in any number of ways - just did it with a custom block in about 30 seconds:
Even with the permissions check there is no reason for this to be in core.
Comment #93
quietone CreditAttribution: quietone at PreviousNext commentedForum is approved for removal. See #1898812: [policy] Deprecate forum module for removal in Drupal 11
This is now Postponed. The status is set according to two policies. The Remove a core extension and move it to a contributed project and the Extensions approved for removal policies.
It will be moved to the contributed extension once the Drupal 11 branch is open.
Comment #95
pameeela CreditAttribution: pameeela commentedJust updating to say this can be moved once the removal of forum is committed to 11.x. It has not yet been done.
Comment #96
quietone CreditAttribution: quietone at PreviousNext commented