We have developed a site that uses this module and the client is experiencing an issue whereby roles for users aren't always assigned the first time they sign in. When users sign in a second time they pick up the correct role, so it seems to be an issue when the account is created.

We are using the Shibboleth group roles options (admin/user/shib_auth/rules) to give a sticky role to users depending on their HTTP_UNSCOPED_AFFILIATION attribute.

Unfortunately we don't have any further information about when this happens or under what circumstances, but perhaps someone else has experience a similar issue or can provide some clues as to why this might happen?

CommentFileSizeAuthor
#2 shib_auth.accessdenied.patch596 bytesJarek Polok

Comments

kleve’s picture

kleve commented

We are experiencing what sounds like the same problem on the 7.x-4.x-dev version.

When a user has logged in the first time an access denied message appears. If the user refreshes the page or visit another page on the site, the user is authenticated and the content is displayed. An existing user always get authenticated after login and the content is displayed without any access denied message.

We have been unable to find what could be the cause and would appreciate some hints on solving this problem/ and or bug.

Some notes from the debugging of the problem

Row 1322 - Seems like the after_update option has been removed from D7 according to the api. Potential problem?

  // We can call things hooked on after_update
  $null = NULL;
  user_module_invoke('after_update', $null, $account);

The most logical would be that the shib_auth_save_authmap function is not working in some way, but I did an user_access('access content') check after the user_external_login_register function and it returned TRUE so it seams the user is created and authenticated. Could it be that this changes somewhere after this?

Jarek Polok’s picture

Jarek Polok commented
StatusFileSize
new shib_auth.accessdenied.patch596 bytes

Hello,

We experience same problem, with7.x version.

Looking through the code I believe there is a small problem: shib_auth_init() while creating new account logs it in but does not assign roles - since the code for doing that is BEFORE account creation code - on subsequent page reloads roles are assigned properly.

Attached patch seems to fix the problem for us (against 7.x branch ...)

Jarek

kleve’s picture

kleve commented

Seems to do the trick. Works for us to.

Updated the module with a patch based on Jarek Poloks #2 patch.

shafter’s picture

shafter commented

I keep trying to reproduce the issue, with no luck. Do you use isPassive, or any booster / aggressive cacher module?
We are trying to make this patch more generic, we should insert role assignment at the end of the init function, for example, to be effective with customization functions as well, but we'd like to avoid assigning sticky roles to wrong users when linking an account.

Jarek Polok’s picture

Jarek Polok commented

No we do not use isPassive, but we do use memcache, maybe this explains it ?

shafter’s picture

shafter commented
Status: Active » Fixed

We managed to reproduce the issue with memcache module. The test case was that the user deleted himself, and he was instantly re-created by Shibboleth, but the roles weren't assigned on this page load. It is a good idea to have another role assigment at the end of the registration process as well. We decided to insert it at the end of the init hook, to run after all kinds of registrations (custom username/email/consent enabled)
Fixed in 6.x-dev. http://drupalcode.org/project/shib_auth.git/commitdiff/4f7feeeb5f0376c03...
and 7.x-dev http://drupalcode.org/project/shib_auth.git/commitdiff/66b84febfbc1bfd84...

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.