I've used this module on many Drupal 6 sites, and love it. However, on the first D7 site i've tried this on, I'm experiencing a permission issue for Anonymous use.
When I click the "Watch" link on a node in a logged out state, if I look in firebug's console I can see an access denied response returned, and the message in the HTML text of the response is "You have followed an invalid link".
Permissions are set correctly for anonymous users, and the module works fine for logged in users. Logged out users simply see the link fade-out and fade-in without changing or working.
My user table has the proper user 0 as well. Looking at the module code, it looks like this could be related to the token match check, but I haven't spent a great deal of time looking into it.
| Comment | File | Size | Author |
|---|---|---|---|
| #19 | fix-subscribe-perm-anon-1479544-19.patch | 514 bytes | flux423 |
| #13 | fix-subscribe-perm-anon-1479544-1.patch | 490 bytes | ybabel |
| #7 | fix-unsubscribe-email-links-1479544-7.patch | 10.54 KB | d.novikov |
Comments
Comment #1
j9 commentedSame problem. When an anonymous user clicks on the link to watch a node, it fades away, and then reappears after about three seconds. I copied the watcher link and posted into the url bar and it also said I followed an invalid link. Anyone have a clue about this? thanks! :0)
Comment #2
d.novikov commentedYes, it is. Drupal doesn't use sessions for anonymous users, and therefore, returns different tokens from the drupal_get_token function even for equal values.
I'm looking for a possible solution.
Comment #3
j9 commentedSuper excellent, d.novikov !
Cant tell you how useful this mod is for keeping an anonymous community up to date! :0)
Let us know when to try out a dev-release and we'll let you know how it goes. Thanks again!
Comment #4
d.novikov commentedGuys, I'm back on the road. Working on this issue.
Comment #5
Anonymous (not verified) commentedI suspect you can accomplish the task at hand using CTools. Page Manager / Panels has built-in awareness of whether or not the current user is anonymous or authenticated. They rely on CTools.
Comment #6
d.novikov commentedGuys, I finally refactored the module to use standard Drupal token functions. Anonymous watching works now!
Please check and don't hesitate with comments and bugs. And don't forget to flush caches after the code update.
Comment #7
d.novikov commentedI was wrong - the issue was not fixed. Please review the patch I'm attaching to the this comment.
Comment #9
d.novikov commentedComment #10
ybabel commentedPatch #7 doesn't apply for me (watcher v1)
Comment #11
ybabel commentedwith the last code from git :
Comment #12
ybabel commentedThe problem seem's to come from function _watcher_menu_access_toggle_watching_post_auth
It doesn't detect well anonymous users.
I tested it by returning always TRUE, and it worked.
Comment #13
ybabel commentedproposed patch to fix the permission problem
Comment #14
d.novikov commented@ybabel, is "Use Watcher" permission set for anonymous users?
Comment #15
dankung1 commented@ybabel
I used #13 patch, not used #7 patch.
The problem remains, for anonymous users. it fades away, and then reappears after about three seconds
Comment #16
nathan573 commentedUsing the latest code and I'm still getting the behavior outlined in the original issue. Was able to work around by adding $skip_anonymous = TRUE to drupal_valid_token call in _watcher_menu_access_toggle_watching_post_auth but I'm not sure if this is safe. Seems like it would be but it'd be nice to hear a definitive yes or why this is still not working properly.
Thank you
Comment #17
kaztur commentedSame problem as in #15 - access denied in dblog and fading the same toggle link after click.
Comment #18
toddwoof commentedPatch in #13 works, but only for the first anonymous user who tries to use the feature after site cache is dumped, and only the first time an anonymous user tries to use the link.
So: clear site caches. Anonymous user can click the link and get the form. If you then refresh the page, or try to use the link in another browser, it doesn't work. The link vanishes for a moment and re-appears. Clear caches again, and it works again, one time.
Comment #19
flux423I combined the patch in comment #13 with the comments by @nathan573 and @toddwoof.
I'm also not sure about the security implementations of this.
Attached is a new patch. Tested locally and seemed to apply cleanly.
Comment #20
toddwoof commentedPatch in #19 works for me. Anonymous user can click the link and see the form.
Note: I'm using Panels, so I also have applied patch #5, here: https://www.drupal.org/node/1599588 to allow me to move the watcher link into the Node Links block.
Comment #21
Anonymous (not verified) commentedDitto to #20.
Patch in #19 appears to be working.
I also applied patch here https://www.drupal.org/node/1599588#comment-6920238 to move the link to the node links block.
It would be lovely to integrate these in an updated release. Thanks!
Comment #22
flux423Thank you @toddwoof and @anneeasterling for confirming.
@d.novikov - Any way this patch can get pushed to the next release?