This is minor as I've found a workaround listed below, but want to know if this needs fixing or is the desired behavior. I'm sure this is changed in D6 so marking D5.

We're working on some auto-login code for Facebook. So in our hook_init() we create a local Drupal account if this user is new and override the global $user. But at this point the menu (and more importantly, it's menu items' permissions) are already built even though _drupal_bootstrap_full() says...

// Let all modules take action before menu system handles the reqest
module_invoke_all('init');

Not sure how that is happening, but it is if you throw some dvm()s into menu_get_menu(). So I've found a workaround which is calling the following code after overriding the global $user and this fixes the issue I was having where newly logged in users would see a 403 on the first page they hit (node/add/something) in this case, but a refresh would show it correctly.

// Sign in user
// ...

// Force a rebuild of the menu so new users don't get access denied on first hit.
global $_menu;
unset($_menu['items']);

Then the next time a menu func gets hit, it rebuilds it from scratch, referencing the new global $user's uid for permissions.

Thoughts? Is D6 in a similar boat? I'm sure the OpenID stuff has flushed this out so maybe this should just be closed.

Comments

dpearcefl’s picture

dpearcefl commented
Status: Active » Closed (won't fix)

Considering the age of this issue with no responses and that D5 is unsupported, I am closing this issue.