Conflict with OpenID module: openid users are never shown the terms and conditions, yet they are credited as having accepted them automatically.

Comments

sikjoy’s picture

One of the nice features of OpenID is that you don't have to fill out a form when you register with a website. Consequently, the registration form is skipped.

When OpenID users reach the 'insert' case in hook_user, legal executes the legal_save_accept function. If there were some way to test for OpenID registrations at this point, you could break out of this case before executing this function. Then OpenID users would be presented with the T&Cs at the login stage.

sikjoy’s picture

Version: 5.x-1.0 » 5.x-1.3
StatusFileSize
new482 bytes

The following patch solves the problem for me. If someone could test it that would be great.

sikjoy’s picture

Assigned: Unassigned » sikjoy
Status: Active » Needs review

Oops, forgot to change the status.

dpalfan’s picture

I'm ready to test it, but need the legal module updated to Drupal6.

robert castelo’s picture

Version: 5.x-1.3 » 6.x-7.x-dev

Anyone want to try this out?

robert castelo’s picture

Version: 6.x-7.x-dev » 6.x-2.2-beta3

#2 patch doesn't add functionality required for OpenID to fully work with Legal module.

We need Legal to interrupt after the OpenID system has verified who the user is, during legal_user 'login' operation.

sikjoy’s picture

I see you changed this bug to Drupal 6.x. Will the fix be back-ported to 5.x?

robert castelo’s picture

It should be possible to take the relevant code from the D6 version and add it to the D5 version. We'll see.

sikjoy’s picture

Version: 6.x-2.2-beta3 » 5.x-1.9
Status: Needs review » Active

Switching this bug back to active since the patch didn't work out.

sikjoy’s picture

Assigned: sikjoy » Unassigned
rbryer’s picture

Any progress on this?

jamesJonas’s picture

Version: 5.x-1.9 » 6.x-2.2-beta4

I'm also interested if anyone has found a fix for this issue.

xibun’s picture

same here

Delta Bridges’s picture

subscribing

mfer’s picture

This legal problem isn't just for openid users. What about anonymous commenters with the legal module?

Here is my suggestion. Under the openid login and the comment area there is a space to have a message that says (by logging in with openid/commenting you are accepting the terms.) The terms is a link to the terms page. There could even be an option for a checkbox that fails the form if not checked asking them to accept the terms.

This would be fairly straight forward to put into code. Does the idea work?

Thoughts?

dayre’s picture

This is also a problem for any bulk added users. We're bootstrapping a large user base using this module and by default they all had the terms accepted.

This is due to the hook_user insert operation which assumes if Drupal got to that point, the user has accepted... which may not be the case.

To solve this, and the openid issue, might be good to have some additional hook structure in there... for my problem, i solved it like this.

case 'insert':

        $conditions = legal_get_conditions();
        if (empty($conditions['conditions'])) return;

        $accepted = $edit['legal_accept'];
        
        $edit['legal_accept'] = NULL;

        ...
        ...

        // don't insert if there is no acceptance
        if ($accepted) {
            legal_save_accept($account->uid, $conditions['tc_id']);
        }
pfournier’s picture

Version: 6.x-2.2-beta4 » 6.x-2.4-rc2
StatusFileSize
new1.34 KB

Here is a patch that also handles the 'update' case.

quicksketch’s picture

Title: OpenID logins bypass T&Cs » All external login mechanisms (OpenID, Bakery, Facebook Connect, OAuth) logins bypass T&Cs
Version: 6.x-2.4-rc2 » master
Status: Active » Needs review
StatusFileSize
new1.9 KB

Thanks @pfournier for the patch! It doesn't look like it was properly formed however, so I rebuilt it in this patch (with a little documentation). I'm not quite sure what's going on with the branches in this project (7.x, 8.x, master, what's going on here?) so I rolled it against master, which looks like it's for Drupal 6 still.

I'm actually using this module with Facebook Connect, which also suffers the same problem. I'm updating the title issue to reflect the scope of the issue.

To be more clear, the user doesn't just *bypass* the T&C, they actually are marked as having accepted the conditions! That's much worse. I can't imagine the fight that might arise over a user who violated the terms of service arguing that they never even agreed to them to begin with.

robert castelo’s picture

Status: Needs review » Fixed

Thanks dayre, pfournier, and quicksketch.

I tested with OpenID and works beautifully.

Committed, and will be part of a release today.

Re branches: - master and 6.x-8.x are currently the same, I jumped up to 6.x-8.x because I had previously accidentally created a 6.x-7.x branch which was never actually developed on, and just wanted to make a fresh start.

quicksketch’s picture

Ah yes, classic. I'd be lying if I said I never made a 6.x-6.x release accidentally. :P I'm happy the new project Git mechanism is much less prone-to-error.

Thanks for committing (and for really pulling this module out of the pits!)

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.