Download & Extend
Issues

user/login should not be permissioned for logged in users

Posted by jjeff on September 30, 2007 at 1:37am
Project:Drupal core
Version:6.x-dev
Component:menu system
Category:bug report
Priority:critical
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

In previous versions of Drupal, the menu item for user/login would be access denied for authenticated users. This meant that you could create a menu link (perhaps in the primary navigation) entitled something like "Login/Register" and point it to the "user/login" path. When the user logged in, the menu item would go away (because they didn't have permission for it anymore).

In Drupal 6, the authenticated user still has permission for user/login. Because of this, the menu item does not disappear from the site navigation once the user is logged in.

Login or register to post comments

Comments

#1

Posted by chx on September 30, 2007 at 2:26am
Status:active» reviewed & tested by the community

I wonder why jjeff have not rolled this trivial patch...

AttachmentSizeStatusTest resultOperations
user_login_perm-179695.patch355 bytesIgnored: Check issue status.NoneNone

#2

Posted by jjeff on September 30, 2007 at 8:24pm

Because jjeff is lazy! ...and he has not quite figured out the new menu system yet... and did I mention lazy?

:-)

Thanks chx

#3

Posted by Gábor Hojtsy on October 1, 2007 at 9:18am
Status:reviewed & tested by the community» needs work

Hm, chx, you proposed to remove the anonymous check on user/login here: http://drupal.org/node/172765 So I'd rather not add it back in now just to play limbo with that fix. Maybe we can come up with something which fits both issues?

#4

Posted by Tobias Maier on October 1, 2007 at 11:03pm

gabor: i don't think you are right.
take a look at comment #13 of the issue mentioned.
it talks about the "user" path NOT about "user/login", like this patch of chx

#5

Posted by catch on October 2, 2007 at 11:19am
Status:needs work» needs review

In that case, setting back to needs review. I agree this is a very useful behaviour to have and it'd be a shame to lose it.

#6

Posted by chx on October 2, 2007 at 10:07pm
Status:needs review» reviewed & tested by the community

Then I think this issue is again RTBC. Yes, the linked issue was about the page user which has double role. Actually that patch broke this one, because before that it inherited from 'user' now it needs explicit definition. user/register has no such problems, it has its own complicated access callback. And user/password also has anonymous check. Only user/login is without an explicit check.

#7

Posted by moshe weitzman on October 3, 2007 at 2:11am

Seems quite reasonable to me.

#8

Posted by Gábor Hojtsy on October 3, 2007 at 1:01pm
Status:reviewed & tested by the community» fixed

Thanks for the explanation, I really overlooked the fundamental difference between the two patches. This is now committed!

#9

Posted by Anonymous on October 17, 2007 at 1:11pm
Status:fixed» closed (fixed)
nobody click here