I've used this module on many Drupal 6 sites, and love it. However, on the first D7 site i've tried this on, I'm experiencing a permission issue for Anonymous use.

When I click the "Watch" link on a node in a logged out state, if I look in firebug's console I can see an access denied response returned, and the message in the HTML text of the response is "You have followed an invalid link".

Permissions are set correctly for anonymous users, and the module works fine for logged in users. Logged out users simply see the link fade-out and fade-in without changing or working.

My user table has the proper user 0 as well. Looking at the module code, it looks like this could be related to the token match check, but I haven't spent a great deal of time looking into it.

Comments

j9’s picture

Same problem. When an anonymous user clicks on the link to watch a node, it fades away, and then reappears after about three seconds. I copied the watcher link and posted into the url bar and it also said I followed an invalid link. Anyone have a clue about this? thanks! :0)

d.novikov’s picture

Priority: Normal » Major

it looks like this could be related to the token match check

Yes, it is. Drupal doesn't use sessions for anonymous users, and therefore, returns different tokens from the drupal_get_token function even for equal values.

I'm looking for a possible solution.

j9’s picture

Super excellent, d.novikov !

Cant tell you how useful this mod is for keeping an anonymous community up to date! :0)

Let us know when to try out a dev-release and we'll let you know how it goes. Thanks again!

d.novikov’s picture

Guys, I'm back on the road. Working on this issue.

Anonymous’s picture

I suspect you can accomplish the task at hand using CTools. Page Manager / Panels has built-in awareness of whether or not the current user is anonymous or authenticated. They rely on CTools.

d.novikov’s picture

Status: Active » Needs review

Guys, I finally refactored the module to use standard Drupal token functions. Anonymous watching works now!

Please check and don't hesitate with comments and bugs. And don't forget to flush caches after the code update.

d.novikov’s picture

Issue summary: View changes
StatusFileSize
new10.54 KB

I was wrong - the issue was not fixed. Please review the patch I'm attaching to the this comment.

  • d.novikov committed 4b2970a on
    Issue #1479544 by d.novikov: Anonymous Permission Problem (maybe token...
d.novikov’s picture

Version: 7.x-1.x-dev » 7.x-1.0
ybabel’s picture

Patch #7 doesn't apply for me (watcher v1)

error: pendant la recherche de :
    'title' => 'Watcher Toggle Watching Post',
    'page callback' => '_watcher_watch_toggle',
    'page arguments' => array(4),
    'access callback' => '_watcher_menu_access_toggle_watching_post',
    'access arguments' => array(1),
    'type' => MENU_CALLBACK
  ) + $base_include;


error: le patch a échoué : watcher.module:355
error: watcher.module : le patch ne s'applique pas
ybabel’s picture

with the last code from git :

jquery.js?v=1.4.4:142 GET http://localhost/drupal7/user/0/watcher/toggle/3?destination=node/3&token=jOgC_kcT8vYerdWHuo5XkeAw47jYP1YO_hJodrlS4ZQ&async=true
 403 (Forbidden)
c.extend.ajax @ jquery.js?v=1.4.4:142
ajaxToggleWatch @ watcher.js?o2do67:124
(anonymous function) @ watcher.js?o2do67:114
e.complete @ jquery.js?v=1.4.4:152
c.fx.step @ jquery.js?v=1.4.4:156
e @ jquery.js?v=1.4.4:153
c.extend.tick @ jquery.js?v=1.4.4:157
ybabel’s picture

The problem seem's to come from function _watcher_menu_access_toggle_watching_post_auth
It doesn't detect well anonymous users.
I tested it by returning always TRUE, and it worked.

ybabel’s picture

StatusFileSize
new490 bytes

proposed patch to fix the permission problem

d.novikov’s picture

@ybabel, is "Use Watcher" permission set for anonymous users?

dankung1’s picture

@ybabel
I used #13 patch, not used #7 patch.

The problem remains, for anonymous users. it fades away, and then reappears after about three seconds

nathan573’s picture

Using the latest code and I'm still getting the behavior outlined in the original issue. Was able to work around by adding $skip_anonymous = TRUE to drupal_valid_token call in _watcher_menu_access_toggle_watching_post_auth but I'm not sure if this is safe. Seems like it would be but it'd be nice to hear a definitive yes or why this is still not working properly.

Thank you

kaztur’s picture

Same problem as in #15 - access denied in dblog and fading the same toggle link after click.

toddwoof’s picture

Patch in #13 works, but only for the first anonymous user who tries to use the feature after site cache is dumped, and only the first time an anonymous user tries to use the link.

So: clear site caches. Anonymous user can click the link and get the form. If you then refresh the page, or try to use the link in another browser, it doesn't work. The link vanishes for a moment and re-appears. Clear caches again, and it works again, one time.

flux423’s picture

StatusFileSize
new514 bytes

I combined the patch in comment #13 with the comments by @nathan573 and @toddwoof.
I'm also not sure about the security implementations of this.

Attached is a new patch. Tested locally and seemed to apply cleanly.

toddwoof’s picture

Patch in #19 works for me. Anonymous user can click the link and see the form.

Note: I'm using Panels, so I also have applied patch #5, here: https://www.drupal.org/node/1599588 to allow me to move the watcher link into the Node Links block.

Anonymous’s picture

Ditto to #20.

Patch in #19 appears to be working.

I also applied patch here https://www.drupal.org/node/1599588#comment-6920238 to move the link to the node links block.

It would be lovely to integrate these in an updated release. Thanks!

flux423’s picture

Thank you @toddwoof and @anneeasterling for confirming.

@d.novikov - Any way this patch can get pushed to the next release?