One-time login links fails when ToS needs to be (re-)verified

Hi,
I have the same problem with version 7.x-1.x-dev.

What are the steps to reproduce this bug?

Are the created users trying to log in via a one time log in link in an email?

Having the same issue but I am quite sure it has worked before, I just discovered this issue recently. A note is that I updated drupal core to the latest version two weeks ago. @Robert Castelo. For me the users are trying to log directly without email confirmation.

Update: I think i found the issue. Seems to be happening if the user presses "go backward" in the browser when presented with accept terms and conditions at first login. Any thoughts on that?

I am having the same issue. The problem happens when admin creates an account from admin page. Obviously admin can't agree t&c for this newly create user and thus resulting in the logg-in issue. It will be great if this can be resolved by a "accept-t&c-page" for new users like the one we see after t&c is updated.

Account generated by user has no such problem.

Latest Drupal 7 and Legal 7.x-1.5

We had a similar issue and solved it disabling Login Destination module because it did not allow us to access to T&C page for reaccepting them. Hope it helps.

Please was anyone able to resolve issue in #7 i.e. new user can't log in using link generated, when new user is created by admin via: admin/people/create
Note: I am using latest dev version.

Same issue applies to when password reset link sent for existing and T&C has changed. Won't be able to login.

In my installation, it happens when the terms updated (the user needs to agree the terms again). I start to notice this issue because the users cannot login to reset their password. (terms needed to agree again + password reset => cannot login at all).

I use oa2. With a clean oa2 installation, there is similar symptom like this. Check my post in oa2 issue queuehttps://www.drupal.org/node/2502013. Strangely, in a clean drupal installaion, there is no such problem.

This new heading is masking the fact that there are two separate but related issues:
1. when a user is created by admin via admin/people/create, user can't log in with link generated.

2. An existing user can't login when password reset link sent and T&C has changed.

So it looks more of an issue related to verifying login via log-in links and at the same time the need to confirm T&C when using such links.

@zeezhao/#14: I think the underlying problem is that a login link does not work when ToS needs to be verified at the same time.

Your point #1: when an admin creates an account, the user has not verified the ToS, and thus the Legal module will require that on the first login. Since that will be form the link sent by the admin user creation, then that situation occurs right away.

Your point #2: same thing: regardless of if it is an admin that creates the account, or an existing user that wants to use a password reset link, neither of them can use such a one-time link if the Legal module is set to require re-verification of the ToS at that moment.

If I understand this correctly, it is the same problem. One-time login links does not work when ToS either needs to be verified (the first time for a new user), or needs to be re-verified after a ToS change.

Adjusting the title a bit.

This is actually a showstopper for many projects when it comes to deciding whether to use this module or not.
(need to choose another module, cannot get started with Legal with this bug)

I think that with this bug, the "stable" release should not be marked "Recommended".
It should be removed from the project page until this is fixed, and we also need a notice and a link to this issue from the project page now.

This is not "stable release", if it prevents users from logging in...

I am actually not sure if there are any other alternative, stable D7 modules for this kind of functionality right now. (tips are welcome)

That makes it even worse for projects that need this. New, small projects that need this functionality now may simply need to start using WP or Joomla instead at the moment...

Last time I tried this I couldn't reproduce the problem.

Can someone who is experiencing this issue please try it on a plain version of Drupal, with no contrib modules enabled.

If that works OK then the issue is due to a contrib module that's been enabled, and we'll need to work out which one it is.

In relation to #14, a new user that self registers and gets sent verification link does not experience the issue though.

@Robert Castelo Thank you for the check.

As I mentioned at https://www.drupal.org/node/2502013 :

In drupal clean installation, legal module does not have problem with /user/login. It seems that legal module has issue with "destination in url".

In oa2, if the login form action="/user/login" has problem, but form action="/home?destination=home" has NO problem.

Mike@oa2 has responded that the hooks related to login redirection may be disabled in the next release. I am not sure this should be issue to legal module though (to help our module easily integrated).

By the way, for now I skip legal term hook, legal_user_login(), when $_POST['form_id'] == 'user_pass_reset'.

Of course this is not a real solution (in normal case, it delays one time for the users to sign the update terms in the next successful login... but maybe they will never).

@hosais - thanks for the tip in #22. This appears to work since even one time users will get directed to change their password, and hence will need to accept the legal form [at bottom] before saving anyway...

There are several clashes between various security-related modules. The reality is that we need Legal module to fit into various scenarios, not only one specific use case.

Here are some observations from not only one focus (several sites that have a bit different needs, but all want to use the Legal module, which then intervenes in these modules' login processes, especially when using one-time-login links at the same time as the user in question either needs to verify the ToS or re-verify the ToS after a change...:

1. Basically we want users that have not (yet) registered a Yubikey for two-factor authentication, to be forced to get a password link though their email account EVERY TIME they log in - and do away with normal passwords alltogether. There are feature requests filed with both https://www.drupal.org/project/passwordless module and https://www.drupal.org/project/yubikey module to let them co-exist. They cannot be combined at the moment.

2. We use the https://www.drupal.org/project/userprotect module to prevent the possibility to even open the user edit page for certain roles. Not sure if this module have any incompatibilities or the like that may affect the other problems, but mentioning it here for the context, as it is often part of the mix.

3. Then, we would like to use the login_destination module to specify which page certain users/roles etc. should be automatically redirected to, especially when using one-time password links.

This is as of now completely impossible if using the Legal module. The login_redirect prevents the terms from being shown, and the result of the conflict is that login_redirect wins and redirects the user to the destination page but WITHOUT being logged in. Simply cannot log in with login_redirect and Legal module enabled at the same time. See issue: #447476: conflict at login with login_destination module

4. Further, we want to be able to send one-time login links from the admin interface to selected users, or also print a list of login links - using the https://www.drupal.org/project/one-time-login module, but this module does not work along with Administration Views module ( https://www.drupal.org/project/admin_views ), which most of our projects depend on for (several) other (good) reasons...

OK, so these issues are obviously not all related to Legal module, but they will be resolved and when they have been fixed, this is the types of environments that we need Legal module to fit right into.

IMO, the first things to do for Legal module is:

a) check if it can work with login_destination module

b) check what is needed for it to play nicely with https://www.drupal.org/project/yubikey module. (PS. the Yubikey module itself needs more flexible handling of situations where it is desireable to be allowed to get a password link by email.)

Finally, I am confused about one particular point:
- What exactly is the function of the general permission "View Terms of Service" on the normal Drupal Permissions page? As far as I can see, all users can see the ToS regardless of having this permission or not, but more problematically is the fact that we really do NOT want some selected ADMIN roles to be pulled into the ToS carousel at all, only selected roles, but all users regardless of role are forced to accept the ToS when it changes.
See issue: #1661488: add "skip Terms and Conditions" permission to control which users see T&C by role/permission

Some additional info:

When I use Legal module with https://www.drupal.org/project/tfa - the new Two-Factor Authentication module that is also used here at D.O. now, I can "partially" get it to work. Here is what happens:

- It works well for normal TFA + Legal-ToS change acceptance.

- When using a password reset link at the same time as there is a new ToS version to confirm, I get to use the one-time login link, then the ToS page appear correctly, I tick "Accept" and save, and then I am presented with an Access Denied page, and I am logged out.

- However, that "Acceptance" has been recorded for the correct user, and I can then log in again with that user account successfully without problems, also can request a new one-time login link which works and logs me in without presenting the ToS change another time (it has successfully been recorded as updated/accepted).

It seems that it is the destination parameter that is not handled properly (or at all) by the Legal module.

I've tested with one-time-loggin links generated by administrator creating a new user (with notify enabled), and by a user requesting a password reset - in both cases I can't reproduce this issue, so marking it as fixed.

If anyone is having an issue with T&Cs and one-time-login links please create a new issue and include the steps necessary to reproduce the issue.