logged-in user + /user/register -> access denied

By jim_at_miramontes on 13 Feb 2007 at 01:42 UTC

If a user is logged into Drupal and tries to go to the user registration page, they get an "access denied" error. You can see this happen on drupal.org (http://www.drupal.org/user/register).

I'd prefer to send the user to their profile page (/user/123), perhaps with a message noting that they're already registered. Before I start hacking the user module (presumably in user_menu), can anyone point out a more principled way to do this, or problems with doing this in the first place?

Comments

I agree

kcouch commented 16 February 2007 at 18:36

I don't see any harm in showing a logged in user the register page again. This has caused a lot of confusion for users on some of my Drupal sites. It would be helpful if the message was even friendlier... i.e. "You are already logged in." with a link to logout.

I agree too

B-Dot commented 8 March 2007 at 03:44

I'm trying to theme the user/register page and finding it a pain to not be able to view it while I'm logged into the site.

Is there even a work around for this?

kcouch commented 3 June 2007 at 00:48

This issue comes up all the time for me. At this point, I'd settle for just being able to customize the message that shows up on this page.

Hacking user_menu?

jim_at_miramontes commented 7 June 2007 at 00:51

I haven't looked at this carefully yet, but it seems like one could hack user_menu to deal with this. There's a section like so:

    $items[] = array('path' => 'user/register', 'title' => t('register'),
      'callback' => 'user_register', 'access' => $user->uid == 0 && variable_get('user_register', 1), 'type' => MENU_LOCAL_TASK);

and I guess you'd change the callback to user_view (passing $user->uid in via callback arguments) when $user->uid is not 0. But then you'd still need the rule in its original form to properly hand non-logged-in people off to user_register, and (as I'm demonstrating) I'm not familiar enough with Drupal's menu system to know how it copes (or if it can cope) with two $items[] statements that have the same path, but that differ in their access rules. I guess you could pass all calls to user/register off to a separate function that would decide where to go, but that's getting pretty ugly. More thought (and wisdom) is needed here.

Well I tried this solution

budibull commented 8 June 2007 at 18:23

Well I tried this solution but it doesn't work. I also tried to redirect if the user in logged in with a custom access denied page but it still doesn't work.
Does anyone have a solution?
It's weird we can't have a login form on the registration page...

Any thoughts?

Thanks

I was able to use a redirect

kcouch commented 2 July 2007 at 22:21

A simple bit of PHP code did the trick for me, although I would rather not have to put hacks in like this. Basically, check if the user is logged in and the URL is "denied" (e.g. if arg(0) = "denied") and then do a PHP redirect. A Drupal redirect doesn't work since it gets stuck in a redirect loop.

Please kcouch, could you tell

worldon commented 9 September 2013 at 12:14

Please kcouch, could you tell me where I can change this simple bit of code...I have a problem that seems to will be solve with your issue..

Thank's in advanced.

Registered users loop

worldon commented 9 September 2013 at 12:12

Hi friends!

I have a problem of user access to my web.
When a user already registered, enter your login to the web, the system refuses and does not give permission to perform actions, as if I did not acknowledge their permits. This only happens the first time.
However, when this same user "Logs" and re-enters the system recognizes him.
I have been reading all your issues, but I think that are not for my problem... do you have any siggestion?
Thank's in advanced!

reister & login access denied

gatezone commented 4 July 2007 at 18:25

I'm confused... I have been building a Drupal site for the last five days (on and off again) and I had no problem getting to the registration page while I was logged in, I even put a Members menu link that went to that page instead of a blatant login block.

Then I made a change (which I have reverted) removing the navigation block for unregistered users) and now I am unable to get to the registration page where I used to be able to see three tabs - my account, login, request password. This is while logged in as the Admin account...?

Wow

monkeybeach commented 31 July 2007 at 13:55

I thought this was a bug and just got round to looking into what I'd done to cause it:

What I get is:

a) Going to user/register when logged in gives access denied, although I can live with this as its not a likely situation (my site has no register links for authenticated users)

b) Much more seriously pressing submit to login after filling out username and password sends you back to /user/login and gives access denied which would give users the initial impression they're not logged in properly although they are.

Sounds very much related to the issue on this thread and I think may have occured when I turned clean urls on although not sure on that :-(

Anyone help me with this?

My "solution"

HorsePunchKid commented 1 August 2007 at 20:33

This is just a "works for me" hack: in user.module, function user_menu, around line 715 where the user/register item is defined, just take out the !$user->uid part of the access check.

user_register_undenied.patch:

--- user.module.original        2007-08-01 09:38:57.000000000 -0700
+++ user.module 2007-08-01 09:39:05.000000000 -0700
@@ -712,7 +712,7 @@ function user_menu($may_cache) {
       'callback' => 'drupal_get_form', 'callback arguments' => array('user_login'),
       'access' => !$user->uid, 'type' => MENU_DEFAULT_LOCAL_TASK);
     $items[] = array('path' => 'user/register', 'title' => t('Create new account'),
-      'callback' => 'drupal_get_form', 'callback arguments' => array('user_register'), 'access' => !$user->uid && variable_get('user_register', 1), 'type' => MENU_LOCAL_TASK);
+      'callback' => 'drupal_get_form', 'callback arguments' => array('user_register'), 'access' => variable_get('user_register', 1), 'type' => MENU_LOCAL_TASK);
     $items[] = array('path' => 'user/password', 'title' => t('Request new password'),
       'callback' => 'drupal_get_form', 'callback arguments' => array('user_pass'), 'access' => !$user->uid, 'type' => MENU_LOCAL_TASK);
     $items[] = array('path' => 'user/reset', 'title' => t('Reset password'),

I think this is a safe change, since function user_register has its own access checks, and it even conveniently does the drupal_goto to your own profile page for users who do not have permission to create other new users.

Make sure you clear your menu cache after doing this.

-- Steven N. Severinghaus

Thank You!

Dwight Tovey commented 9 May 2008 at 14:58

Steven - Thank you for finding that. This was turning into a big problem for one of my sites.

In looking through the user code, I can't see any reason for the $user->uid check. Any chance of this change getting incorporated into the main code so that I won't have to remember to "fix" it every time I update?

I just made a workflow to get round this

Athaclena commented 28 May 2008 at 17:58

I needed a solution since I need to link to registration from within a flash file... and I don't know the first thing about flash (can't edit or change it).
So I looked at workflow-ng and made a workflow to do the redirect, firing when user is going to view a page and comparing the page url to "register". I can post the export data here if anyone is interested.

I'm still wondering if this is overkill, but I don't know how much of a difference it will make. And my sire is small, not going to be very community based so it may not be so much of a problem.

Drupal 6?

beauz commented 23 June 2008 at 05:53

has anyone got a method for doing this on Drupal 6.2?

For D6 w/o modifing the user module

loze commented 24 June 2008 at 18:35

yes. I just did it! I think i just may be getting the hang of this :)
Here is what i did:

Let me start by saying i am still very new to drupal. This may not be the right way to do it or even wise to do it at all.

I made a custom module with 2 functions, implementing hook_menu_alter, and changing the access callback.


function myreg_menu_alter(&$callbacks) {
	// here I alter the access callback function for the path user/register

	$callbacks['user/register']['access callback'] = 'myreg_register_access';
	 
}

function myreg_register_access() {

  // in the original user module this function is 'user_register_access'
  // return user_is_anonymous() && variable_get('user_register', 1); 
  // i just simply removed the 'user_is_anonymous' call in the access check. so....

  return variable_get('user_register', 1);

}

This redirects a logged in user to their account view page when they goto 'user/register'
im not sure why. I had thought it would allow the reg form to be accessed and not redirect. This is bearable for my purposes i guess, but I guess there is check somewhere else that redirects to the account page. Can anyone out there answer that?

anyway, hope that helps

Slight improvement

codevelopment

Perth, Australia

commented 5 August 2009 at 17:43

Thank you, this worked well for me. This should really be in core by now, there's been a feature request in for it since 2005: http://drupal.org/node/17664#file-test-results-17664-1357290 .

One slight improvement to the above, is to give the user a message stating they're already registered, and then to redirect them to their user page. I modified the myreg_register_access() function from loze's myreg module, as follows:

function myreg_register_access() {
  
  global $user;
  if ($user->uid) {
    drupal_set_message( t('You are already registered as a member.'), 'status', FALSE);
    drupal_goto('user');
  }
  else {
    return variable_get('user_register', 1);
  }

}

Tested and working in Drupal 6.13.

thanks

Matt V. commented 14 December 2009 at 21:22

loze & asimov,

Thanks for posting your code. I borrowed from what you two posted and created a module for Drupal 6, called Already In.

In user.module, modify

boran commented 10 September 2009 at 01:48

In user.module, modify user_register_access

function user_register_access() {
  // If a user is logged in, don't show "access denied"
  // but show the register form anyway
  //return user_is_anonymous() && variable_get('user_register', 1);
  return variable_get('user_register', 1);
}

Of course the separate module is more elegant..

Just noticed the "Already In"

boran commented 23 February 2010 at 07:29

Just noticed the "Already In" module announced above. Works great.
Thanks Matt.

And FYI the issue is tracked here: http://drupal.org/node/17664

this brings you no where

massyboy commented 19 October 2010 at 19:34

this does not bring you to the user/register form again but to /user/5 which is nothing at all... (well just this "history" title with "member for..." etc...)
the return variable must be something else but I don't know what exactly...

I really don't like this tweaking as if it's inherent in all drupal website development and as if:
-or you must be your own developer (create your own modules --> see this multiple registration form problems an discussion on the different fora)
-or you activate modules based on other modules between other modules... going down the rabbit whole...aaargh
-or you tweak so much in the PHP of the different files that you might start asking: what's the point (of drupal)?
(wasn't it just lego block building? --> discussion of learning curves)

anyway Boran thanks for the attempt, we all keep on 'attempting' :-)

another angle taken to this issue

massyboy commented 20 October 2010 at 11:46

Instead of making it possible to complete another registration as an already registered user, I'm taking another appoach:
A certain type of registered users, so to speak linked to a certain role, would have some admin privileges:
They are able to create user (/admin/user/user/create).
First issue: by enabling this permission for that role, they can even have access to more handling than I really want (but that's an issue for later --> yet another one "going trough the maze")
Major issue: If this registered user in "that role" hass the oportunity of creating new users, I really do not want him to be obliged to fill in all the same fields of the custom registration form that was initially there.
--> Now this is going parallel with maybe other thread about ways of having multiple forms (also there it's amaze: choosing the way of module on modules on modules, eg the dirty way or building your own module, the clean but heavy way, discussion about the learning curve)
last issue: If that registered user (say a company partner) can make new users, can they be somehow linked (ofcourse basically in the database to the registered user/company partner that made him?.

I feel that these things/this request are normal things on company websites tough within drupal this is exotic in the way that it's not just the lego building approach by modules on modules on modules, to be expected...

I feel I'm still flirting with the "I suck" threshold within the learning curve by Dries Buytaert, while i also feel that this request must at least require a knowledge flirting with the "I rule" threshold. Pf course If I was there, I would be posting this.
In my big disadvantage: I have littke time to implement this, which might be contradictionary towards the needs of time to obtain the knowledge to easy, common and natural request but difficult approach towards solution.

Sorry for the article this post is becomming.

Drupal 5?

skizzo commented 8 July 2008 at 13:14

can anyone provide a patch (or a mini
module) for Drupal 5.7 ???
Thank you.

change user_access

allentseng commented 12 September 2008 at 14:40

Our way toward this is change user_access to TRUE. that way any one can access the page.
'callback' => 'drupal_get_form', 'callback arguments' => array('user_login'),
'access' => !$user->uid, 'type' => MENU_DEFAULT_LOCAL_TASK);

'callback' => 'drupal_get_form', 'callback arguments' => array('user_login'),
'access' => TRUE, 'type' => MENU_DEFAULT_LOCAL_TASK);

though, very worry about this could lead to security issue. if it were, pls point us out.

Thanks for this tip, i used

marie_t commented 29 October 2008 at 06:18

Thanks for this tip, i used the workflow-ng method you described and it worked like a charm! Just the solution we needed.

htaccess workaround

mikeytown2 commented 9 October 2009 at 19:53

If your using the Boost module it sets the DRUPAL_UID cookie if logged in. Add this code to redirect user/login and user/register to the homepage.

  RewriteCond %{HTTP_COOKIE} DRUPAL_UID
  RewriteCond %{REQUEST_URI} ^/user/login [OR]
  RewriteCond %{REQUEST_URI} ^/user/register
  RewriteRule ^user/.* / [L,R=307]

Place it right below

  # If your site is running in a VirtualDocumentRoot at http://example.com/,
  # uncomment the following line:
  # RewriteBase /

and above the boost rules

Issue Created

mikeytown2 commented 9 October 2009 at 20:10

#600472: Confused users: Already logged in users get 403 on user/login or user/register

Thank you!!! :)

Ela commented 7 January 2010 at 08:06

Thank you for the htaccess workaround !!! Works great!! :)

If you don't have boost..

iAugur commented 22 April 2010 at 15:12

Thanks for the snippet for the htaccess.
If you don't have boost (and want to send users to their profile page if they try to access the login page) then the following works

  RewriteCond %{HTTP_COOKIE} [SESS]* 
  RewriteCond %{REQUEST_URI} ^/user/login [OR]
  RewriteCond %{REQUEST_URI} ^/user/register
  RewriteRule ^user/.* /user [L,R=307]

It doesn't affect anonymous users.

George Boobyer
www.blue-bag.com

But this doesn't seem to

tonycurzonprice commented 21 January 2012 at 11:04

But this doesn't seem to allow registration for anonymous users - all registration requests are redirected to login, at least for me!

redirecting to a node

weseze commented 19 January 2010 at 08:21

I needed to redirect logged in users visiting the register page to a custom page explaining why they can't access the register page, instead of just saying they can't. This little function in a custom module does the trick: (it redirect to node/10)

function mymodule_init()
{
    global $user;
    if ($_REQUEST['q'] == 'user/register' && $user->uid > 0)
    {
        drupal_goto('node/10');
    }
}

I need authenticated users to

davidbessler commented 29 January 2010 at 22:04

I need authenticated users to be able to access the actual registration page. I use ip_authenticator to log in anonymous users within our physical facility. I still need people to be able to register, however. There is no way to log out with either of the two modules ("ip login" or "ip_authenticator"), though I have feature requests pending on both of those.

Can anyone help?

This worked for me, thanks

x_v commented 18 March 2011 at 20:52

This worked for me, thanks for posting this @weseze!

can't access user pages

jday commented 30 March 2010 at 19:31

when this module is enabled the user account pages can not be accessed,
I have 'user' as the redirect location
browser says
Too many redirects occurred

same here on /user and

vaccinemedia commented 13 April 2010 at 11:09

same here on /user and /users/admin

I'm a Drupal Website Developer and Google Street View Trusted Photographer.

Already In?

Matt V. commented 13 April 2010 at 22:20

jday & fortina,

When you say "this module" are you referring to a custom module you made based on the code snippets above or to the Already In module? If you're referring to the Already In module, please open a ticket in the issue queue for Already In instead.

How about simply creating a

alberto56 commented 20 April 2010 at 11:44

How about simply creating a block, putting in there something like "You can't register because you are already logged in!", and then placing that block below the content only on the user/register page, and only accessible to authenticated users? That way there's no fiddling with custom code or hacks.
You could even use css to hide the content section of that particular page (the part that says "Access Denied") using {display:none} if your theme provides a unique body class for that page.

Cheers,

Albert.

Albert I have been trying to

druupydog commented 1 July 2010 at 09:06

Albert

I have been trying to get my block to display on my user/register page and it will not display when I set:

Show block on specific pages:

+ Show on only the listed pages.

user/register

Is that the wrong link for register page it is what shows in address bar?

I am using Drupal 6.17

If you can tell me the correct configure, many thanks.

Should work...

skizzo commented 18 March 2011 at 21:28

in my installation It works as expected. D6.18, theme Garland, Show on only the listed pages: user/register, Show block for specific roles: authenticated user, block assigned to Content region. Also, please be aware that 404 "Not Found" pages do not render Left and Right regions (use module blocks404 if you need those)

If you are using AutoAssignRole

mattcasey commented 7 April 2012 at 20:04

If you are using the AutoAssignRole module, you will need to change the access callback for your custom paths as well. In D6, I have a special path for artists:

function helper_menu_alter(&$items) {
  // Display user registration for people logged in
  $items['user/register']['access callback'] = 'helper_register_access';
  $items['user/register/artist']['access callback'] = 'helper_register_access';
}
function helper_register_access() {
  return variable_get('user_register', 1);
}

logged-in user + /user/register -> access denied

Comments

New forum topics