user_authenticate() can trash global $user object
heyrocker - August 16, 2007 - 17:08
| Project: | Drupal |
| Version: | 5.2 |
| Component: | user.module |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | duplicate |
Jump to:
Description
When a user logs in through external authentication, user_authenticate() attempts a user_load() with the user's name. The global $user object is set to the results of this user_load(), which causes the object to be trashed when the newly authenticated user does not exist locally. This causes problems for functions down the line which try and access the global $user object.
This patch addresses this problem, and also modifies a somewhat misleading comment.
| Attachment | Size |
|---|---|
| user_globaluser.patch | 1.22 KB |
#1
this code has changed in 6, so the issue only applies to 5. i'm a bit hesitant to apply this to 5, but maybe if it gets some thorough testing.
#2
I have discovered the issue mentioned here http://drupal.org/node/163458
What I found interesting is the above condition is not happening on my test system and is happening in only in production system so wondering there is something more here.
On test system: My external authentication module+core profile module = No errors
On production system: My external authentication module+core profile module = Error mentioned in http://drupal.org/node/163458
If I disable profile module on production I don't get any error again.
Any ideas what may be happening here or it is same issue showing differently?
#3
Also are we really sure user_authentication displaying wrong behaviour in that place? Because as I understand the designed behaviour is if the local user does not exists it is supposed to create one locally. And it does this job fine when there is no profile module involved in between. So something profile module expects (user->roles ?) is not there. So the change may be still required in user_authenticate but shouldn't that be localized to just set user->roles?
#4
looks like a similiar issue with Webserver Auth module the problem and solution is described here http://drupal.org/node/64949#comment-105689
- Jose
#5
It appears this same problem has been resolved and a patch commited at #165642: error in SQL syntax in user.module on line 368 (or 378) so I'm marking this a dupe.