Closed (duplicate)
Project:
Drupal core
Version:
5.7
Component:
user system
Priority:
Normal
Category:
Bug report
Assigned:
Reporter:
Created:
21 Mar 2008 at 22:35 UTC
Updated:
8 Apr 2008 at 09:35 UTC
I've been developing a user authentication module that implements hook_auth. I encountered warning messages regarding the array functions in user_access(). I discovered that while some system was checking for 'administer users' permissions, $account->roles did not exist. This was likely a problem in my own module since I never get this error with my module disabled.
But to take the other side for a moment, I don't think there's any reason user_access should try to perform array functions on a non-array, even if there is a problem elsewhere. Perhaps a warning should be logged to the watchdog instead of printing errors straight to the screen.
On to the patch:
The patch is very straightforward, I've added a simple check to make sure $account->roles is actually an array before moving on to call the following array functions.
Any thoughts?
| Comment | File | Size | Author |
|---|---|---|---|
| user.module-0.patch | 1011 bytes | stevecrozz |
Comments
Comment #1
bkraegelin@drupal.org commentedMetoo. Same intention, same error.
I tracked the problem down to the fact, that user_access is called before my module is able to register the user. (I work on SSL client certificate authentication with auto registering users.).
At that time, $account is empty. No uid, no roles, no anything. My quickfix was to check $account->uid for not being zero and otherwise immediately returning FALSE.
As I'm brand new to developing modules and to fiddle with Drupal's API, I would like to figure out, if there is an underlying problem in the API or in another part of Drupal. I don't like quick fixes.
As it is always good programming style to check variables before use, I second the patch. But I would like to raise it as a problem for core Drupal. 'user_access' should not be called with a clompletely empty account.
Comment #2
chx commentedThe user is loaded either by user_load or sess_read which fills in roles. If neither happened, you did something broken. And we have a policy of not babysitting broken code.
Comment #3
stevecrozz commentedThere is another patch that takes another approach to this same problem by avoiding the erroneous call to user_access in the first place rather than attempting to gracefully handle an improper call. I'm marking this issue as a duplicate as the underlying issues are the same as far as I can tell.
http://drupal.org/node/208888
Comment #4
bkraegelin commentedRead all the hints, checked patch from http://drupal.org/node/208888 (it's already included in my version), rewrote all my code. Still no success.
I use hook_init() like webserver_auth.module does. My module starts with a call of user_external_login_register. This one seems to trigger two calls to user_access. The first isn't correctly initialized, the second one is called with the newly registered user object and works fine.
I tracked it down now to profile.module. When calling hook_user('insert'), the profile module calls user_access('administer_users'), when there is no user object instantiated.
So my problem shows the same effects but has another cause.