OpenID logins bypass T&Cs
sicjoy - November 27, 2007 - 23:24
| Project: | Legal |
| Version: | 6.x-2.2-beta4 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
Conflict with OpenID module: openid users are never shown the terms and conditions, yet they are credited as having accepted them automatically.
#1
One of the nice features of OpenID is that you don't have to fill out a form when you register with a website. Consequently, the registration form is skipped.
When OpenID users reach the 'insert' case in hook_user, legal executes the legal_save_accept function. If there were some way to test for OpenID registrations at this point, you could break out of this case before executing this function. Then OpenID users would be presented with the T&Cs at the login stage.
#2
The following patch solves the problem for me. If someone could test it that would be great.
#3
Oops, forgot to change the status.
#4
I'm ready to test it, but need the legal module updated to Drupal6.
#5
Anyone want to try this out?
#6
#2 patch doesn't add functionality required for OpenID to fully work with Legal module.
We need Legal to interrupt after the OpenID system has verified who the user is, during legal_user 'login' operation.
#7
I see you changed this bug to Drupal 6.x. Will the fix be back-ported to 5.x?
#8
It should be possible to take the relevant code from the D6 version and add it to the D5 version. We'll see.
#9
Switching this bug back to active since the patch didn't work out.
#10
#11
Any progress on this?
#12
I'm also interested if anyone has found a fix for this issue.
#13
same here
#14
subscribing
#15
This legal problem isn't just for openid users. What about anonymous commenters with the legal module?
Here is my suggestion. Under the openid login and the comment area there is a space to have a message that says (by logging in with openid/commenting you are accepting the terms.) The terms is a link to the terms page. There could even be an option for a checkbox that fails the form if not checked asking them to accept the terms.
This would be fairly straight forward to put into code. Does the idea work?
Thoughts?
#16
This is also a problem for any bulk added users. We're bootstrapping a large user base using this module and by default they all had the terms accepted.
This is due to the hook_user insert operation which assumes if Drupal got to that point, the user has accepted... which may not be the case.
To solve this, and the openid issue, might be good to have some additional hook structure in there... for my problem, i solved it like this.
case 'insert':
$conditions = legal_get_conditions();
if (empty($conditions['conditions'])) return;
$accepted = $edit['legal_accept'];
$edit['legal_accept'] = NULL;
...
...
// don't insert if there is no acceptance
if ($accepted) {
legal_save_accept($account->uid, $conditions['tc_id']);
}