I'm using the latest dev version from git.

If the site is configured so that anonymous users don't have the "View published content" permission, an incorrect destination parameter is added to the URL when logging out.

To reproduce:
- Log in as the admin
- Remove the "View published content" permission from anonymous users
- Log out.

As a result, the user is redirected to an address that looks like this: http://d7.dev/user/login?destination=r4032login

When the user logs in, the system tries to redirect him to /r4032login, resulting in a 403 error.

Comments

firebird’s picture

Status: Active » Needs review
StatusFileSize
new442 bytes

This actually happens every time a user with no permission to view the site front page "/" tries to view it.

Since drupal_get_path_alias() returns the current path for an empty input, the destination on the login page ends up being "r4032login", and an access denied is returned after login.

This is easily fixed by using drupal_lookup_path() instead of drupal_get_path_alias(). Patch attached.

greggles’s picture

Title: Incorrect destination on logout » Incorrect destination on logout if user cannot view homepage

Updated title to be more clear.

@firebird - You've stated the problem and a proposed solution, which is great. But what is the behavior once your patch is applied?

pwolanin’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.