logged-in user + /user/register -> access denied
jim_at_miramontes - February 13, 2007 - 01:42
If a user is logged into Drupal and tries to go to the user registration page, they get an "access denied" error. You can see this happen on drupal.org (http://www.drupal.org/user/register).
I'd prefer to send the user to their profile page (/user/123), perhaps with a message noting that they're already registered. Before I start hacking the user module (presumably in user_menu), can anyone point out a more principled way to do this, or problems with doing this in the first place?
I agree
I don't see any harm in showing a logged in user the register page again. This has caused a lot of confusion for users on some of my Drupal sites. It would be helpful if the message was even friendlier... i.e. "You are already logged in." with a link to logout.
I agree too
I'm trying to theme the user/register page and finding it a pain to not be able to view it while I'm logged into the site.
Is there even a work around for this?
This issue comes up all the time for me. At this point, I'd settle for just being able to customize the message that shows up on this page.
Hacking user_menu?
I haven't looked at this carefully yet, but it seems like one could hack user_menu to deal with this. There's a section like so:
$items[] = array('path' => 'user/register', 'title' => t('register'),'callback' => 'user_register', 'access' => $user->uid == 0 && variable_get('user_register', 1), 'type' => MENU_LOCAL_TASK);
and I guess you'd change the callback to user_view (passing $user->uid in via callback arguments) when $user->uid is not 0. But then you'd still need the rule in its original form to properly hand non-logged-in people off to user_register, and (as I'm demonstrating) I'm not familiar enough with Drupal's menu system to know how it copes (or if it can cope) with two $items[] statements that have the same path, but that differ in their access rules. I guess you could pass all calls to user/register off to a separate function that would decide where to go, but that's getting pretty ugly. More thought (and wisdom) is needed here.
Well I tried this solution
Well I tried this solution but it doesn't work. I also tried to redirect if the user in logged in with a custom access denied page but it still doesn't work.
Does anyone have a solution?
It's weird we can't have a login form on the registration page...
Any thoughts?
Thanks
I was able to use a redirect
A simple bit of PHP code did the trick for me, although I would rather not have to put hacks in like this. Basically, check if the user is logged in and the URL is "denied" (e.g. if arg(0) = "denied") and then do a PHP redirect. A Drupal redirect doesn't work since it gets stuck in a redirect loop.
reister & login access denied
I'm confused... I have been building a Drupal site for the last five days (on and off again) and I had no problem getting to the registration page while I was logged in, I even put a Members menu link that went to that page instead of a blatant login block.
Then I made a change (which I have reverted) removing the navigation block for unregistered users) and now I am unable to get to the registration page where I used to be able to see three tabs - my account, login, request password. This is while logged in as the Admin account...?
Wow
I thought this was a bug and just got round to looking into what I'd done to cause it:
What I get is:
a) Going to user/register when logged in gives access denied, although I can live with this as its not a likely situation (my site has no register links for authenticated users)
b) Much more seriously pressing submit to login after filling out username and password sends you back to /user/login and gives access denied which would give users the initial impression they're not logged in properly although they are.
Sounds very much related to the issue on this thread and I think may have occured when I turned clean urls on although not sure on that :-(
Anyone help me with this?
My "solution"
This is just a "works for me" hack: in
user.module, functionuser_menu, around line 715 where theuser/registeritem is defined, just take out the!$user->uidpart of the access check.user_register_undenied.patch:--- user.module.original 2007-08-01 09:38:57.000000000 -0700+++ user.module 2007-08-01 09:39:05.000000000 -0700
@@ -712,7 +712,7 @@ function user_menu($may_cache) {
'callback' => 'drupal_get_form', 'callback arguments' => array('user_login'),
'access' => !$user->uid, 'type' => MENU_DEFAULT_LOCAL_TASK);
$items[] = array('path' => 'user/register', 'title' => t('Create new account'),
- 'callback' => 'drupal_get_form', 'callback arguments' => array('user_register'), 'access' => !$user->uid && variable_get('user_register', 1), 'type' => MENU_LOCAL_TASK);
+ 'callback' => 'drupal_get_form', 'callback arguments' => array('user_register'), 'access' => variable_get('user_register', 1), 'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'user/password', 'title' => t('Request new password'),
'callback' => 'drupal_get_form', 'callback arguments' => array('user_pass'), 'access' => !$user->uid, 'type' => MENU_LOCAL_TASK);
$items[] = array('path' => 'user/reset', 'title' => t('Reset password'),
I think this is a safe change, since function
user_registerhas its own access checks, and it even conveniently does thedrupal_gototo your own profile page for users who do not have permission to create other new users.Make sure you clear your menu cache after doing this.
-- Steven N. Severinghaus
Thank You!
Steven - Thank you for finding that. This was turning into a big problem for one of my sites.
In looking through the user code, I can't see any reason for the $user->uid check. Any chance of this change getting incorporated into the main code so that I won't have to remember to "fix" it every time I update?
I just made a workflow to get round this
I needed a solution since I need to link to registration from within a flash file... and I don't know the first thing about flash (can't edit or change it).
So I looked at workflow-ng and made a workflow to do the redirect, firing when user is going to view a page and comparing the page url to "register". I can post the export data here if anyone is interested.
I'm still wondering if this is overkill, but I don't know how much of a difference it will make. And my sire is small, not going to be very community based so it may not be so much of a problem.
Drupal 6?
has anyone got a method for doing this on Drupal 6.2?
For D6 w/o modifing the user module
yes. I just did it! I think i just may be getting the hang of this :)
Here is what i did:
Let me start by saying i am still very new to drupal. This may not be the right way to do it or even wise to do it at all.
I made a custom module with 2 functions, implementing hook_menu_alter, and changing the access callback.
<?php
function myreg_menu_alter(&$callbacks) {
// here I alter the access callback function for the path user/register
$callbacks['user/register']['access callback'] = 'myreg_register_access';
}
function myreg_register_access() {
// in the original user module this function is 'user_register_access'
// return user_is_anonymous() && variable_get('user_register', 1);
// i just simply removed the 'user_is_anonymous' call in the access check. so....
return variable_get('user_register', 1);
}
?>
This redirects a logged in user to their account view page when they goto 'user/register'
im not sure why. I had thought it would allow the reg form to be accessed and not redirect. This is bearable for my purposes i guess, but I guess there is check somewhere else that redirects to the account page. Can anyone out there answer that?
anyway, hope that helps
Slight improvement
Thank you, this worked well for me. This should really be in core by now, there's been a feature request in for it since 2005: http://drupal.org/node/17664#file-test-results-17664-1357290 .
One slight improvement to the above, is to give the user a message stating they're already registered, and then to redirect them to their user page. I modified the myreg_register_access() function from loze's myreg module, as follows:
<?php
function myreg_register_access() {
global $user;
if ($user->uid) {
drupal_set_message( t('You are already registered as a member.'), 'status', FALSE);
drupal_goto('user');
}
else {
return variable_get('user_register', 1);
}
}
?>
Tested and working in Drupal 6.13.
thanks
loze & asimov,
Thanks for posting your code. I borrowed from what you two posted and created a module for Drupal 6, called Already In.
--
Drupal 6 Theming Cheat Sheet
In user.module, modify
In user.module, modify user_register_access
function user_register_access() {// If a user is logged in, don't show "access denied"
// but show the register form anyway
//return user_is_anonymous() && variable_get('user_register', 1);
return variable_get('user_register', 1);
}
Of course the separate module is more elegant..
Drupal 5?
can anyone provide a patch (or a mini
module) for Drupal 5.7 ???
Thank you.
change user_access
Our way toward this is change user_access to TRUE. that way any one can access the page.
'callback' => 'drupal_get_form', 'callback arguments' => array('user_login'),
'access' => !$user->uid, 'type' => MENU_DEFAULT_LOCAL_TASK);
'callback' => 'drupal_get_form', 'callback arguments' => array('user_login'),
'access' => TRUE, 'type' => MENU_DEFAULT_LOCAL_TASK);
though, very worry about this could lead to security issue. if it were, pls point us out.
Thanks for this tip, i used
Thanks for this tip, i used the workflow-ng method you described and it worked like a charm! Just the solution we needed.
htaccess workaround
If your using the Boost module it sets the DRUPAL_UID cookie if logged in. Add this code to redirect user/login and user/register to the homepage.
RewriteCond %{HTTP_COOKIE} DRUPAL_UIDRewriteCond %{REQUEST_URI} ^/user/login [OR]
RewriteCond %{REQUEST_URI} ^/user/register
RewriteRule ^user/.* / [L,R=307]
Place it right below
# If your site is running in a VirtualDocumentRoot at http://example.com/,# uncomment the following line:
# RewriteBase /
and above the boost rules
Issue Created
#600472: Confused users: Already logged in users get 403 on user/login or user/register
Thank you!!! :)
Thank you for the htaccess workaround !!! Works great!! :)
redirecting to a node
I needed to redirect logged in users visiting the register page to a custom page explaining why they can't access the register page, instead of just saying they can't. This little function in a custom module does the trick: (it redirect to node/10)
<?phpfunction mymodule_init()
{
global $user;
if ($_REQUEST['q'] == 'user/register' && $user->uid > 0)
{
drupal_goto('node/10');
}
}
?>
I need authenticated users to
I need authenticated users to be able to access the actual registration page. I use ip_authenticator to log in anonymous users within our physical facility. I still need people to be able to register, however. There is no way to log out with either of the two modules ("ip login" or "ip_authenticator"), though I have feature requests pending on both of those.
Can anyone help?