I have a situation where I am using custom built API calls to create a user, set a global flag on that user, and then log that user in. However, when I log the user in, the global flag (i.e. uid=0) gets automatically "migrated" into a non-global flag (i.e. uid= the uid for the logged in user). This migration occurs because I am using the Session API, and flag incorrectly picks up the flag I have created as being one created by an anonymous user.

Here is a more detailed workflow of what happens:

  1. API flags user (e.g. uid=2). The API code is not running as an anonymous user, so an entry gets created in the flag_content table with content_id=2, uid=0, sid=0. This is correct
  2. API logs uid=2 in, and therefore calls the flag_user() hook. Because this is being done by the API. flag_user attempts to migrate flags created by the anonymous user. It calls flag_get_sid to get the session id, and this returns 0 (session_api_available() returns false because this is being invoked by a call to my API, and so cookies are not enabled). It then updates all flags in the flag_content table with uid=0, and sid=0 so that uid=2. This is incorrect

The only way I have managed to work around this problem is by altering the flag module so that it does not migrate flags if the sid field is 0.

In my situation flag_get_sid is returning 0 because the code I am writing has not been invoked by a browser, and cookies are not available. Presumably this bug will occur in other situations where sid returns 0, such as if the user does not have cookies enabled.

Comments

quicksketch’s picture

quicksketch
he/him
commented

Thanks for the report. It sounds like we should be able to detect this situation if session_api_available() returns FALSE, we just don't do the migration.

quicksketch’s picture

quicksketch
he/him
commented
Status: Active » Fixed

This has been fixed in #622942: Unflagged Content stays shown as flagged.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.