Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.We can't use hook_init in Drupal 7 the way it was used in previous versions of Cosign module because some changes were made to the order that hooks run in D7. Essentially, there a bunch of things that run in between hook_boot and hook_init in D7. One of these is menu_get_item, which runs the menu access callback functions on the request and returns $router_item['access'] before hook_init even runs. This means that if a user links directly to an https page with any drupal permissions protection, the user will hit an access denied page immediately after authenticating through cosign. Refreshing that page or navigating to a new one does not produce a second access denied because by that point $user is defined from hook_init on the previous page request.
Instead, hook_menu_get_item_alter() needs to be used.
For reference:
Along with this bug, there are a number of other problems:
- Improper labelled and unnecessary admin settings, along with improper default values
- Old documentation in INSTALL.txt
- Lots of Drupal code style guide problems
- Bug whereby code in hook_init does not check to ensure that $user->name matches the name passed in remote_user, opening the possibility that a user could gain access to a different user's Drupal account in certain specific use cases
- Need for additional feature to log user out of Drupal when remote_user becomes empty.
I've worked on all these. Patch forthcoming.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | Cosign-fix-bugs-general-improvement-1540268.patch | 25.19 KB | kevinchampion |
Comments
Comment #1
kevinchampion CreditAttribution: kevinchampion commentedHere's the patch.
Comment #2
mlhess CreditAttribution: mlhess commentedThis has been committed to 7.x head.