Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When a user logs in after viewing the custom 403 page, the 403 page is still displayed. The user should instead see the page they were trying to request.
Comment | File | Size | Author |
---|---|---|---|
#16 | issue24587_2_common.inc.patch | 1.46 KB | Tobias Maier |
#15 | issue24587_common.inc_0.patch | 606 bytes | kbahey |
#14 | issue24587_common.inc.patch | 612 bytes | Tobias Maier |
#2 | customerror.patch | 2.73 KB | Steve Dondley |
Comments
Comment #1
Dublin Drupaller CreditAttribution: Dublin Drupaller commentedas opposed to a patch..you could try this....
and insert this into your form action line:
The php script at the top catches the reffering url and assigns to to the $ref variable...
I haven't tested the above, so it's only a suggestion...might be easier to implement that in your custom 403 page rather than wait for a patch.
Dub
Comment #2
Steve Dondley CreditAttribution: Steve Dondley commentedThanks, Dub. But I have a patch here. Give it a shot if you want. It's probably a little more convoluted than it needs to be but it appears to work. The good part about it is that you don't have to hack the core. The bad part about it is that I had to get rid of the $may_cache variable for it to work. The other quirk about it is that let's say you have user 1 and he gets a 403 error for trying to view admin/block without authorization. Then user 2 comes along and gets a 403 error for trying view admin/settings without authorization. Then when user 1 logs in, he will see admin/settings instead of admin/block (the page he was originally trying to view). This will only be a problem on busy sites.
If you look at the code, you'll see that I drew heavily from some menu functions to determine if the user is now authorized to look at a page. Basically they way it works is this:
If you get a 403 error, the module does a variable_set to see what path you were trying to access. When you login, the customerror module basically runs the same two functions as the menu module to see if the user has access. If so, the module does a redirect to the page by pulling the old path out with variable get.
I'll leave it to a pro with better than ideas to polish this up. Hopefully this code has helped pave the way.
Comment #3
kbahey CreditAttribution: kbahey commentedThanks for the patch nysus.
I don't mind removing the $maycache, but it may be a performance hit for some large sites.
I think the patch as it exists, is overly overcomplicated. Too much code in there.
The reason you were getting different users getting each other's path is that it is saved in the database.
I was thinking of something along the lines of what Dub said. Check if the referrer is set, and then issue a drupal_goto().
Try to replace the customerror_page function with the version below, merged to the original module (not the nysus modified one).
I did not test it though.
Comment #4
kbahey CreditAttribution: kbahey commentedJust realize that this may cause a redirection loop (403 -> original page -> 403 -> ...).
Oh well. Someone may think of something better.
Comment #5
Steve Dondley CreditAttribution: Steve Dondley commentedYes, infinite redirects are a problem. I ran into it quite frequently while developing this solution.
Like I said, there is probably a better way. I don't see any way around using the database, however. You need to be able to remember the initial page the user tried to come through.
To avoid the problem I mentioned above of one user clobbering the other user's redirect is to use info in the user's cookie to give him a unique "redirect identifier." But then the database will get littered with redirect data. You would have to set up a cron to delete the old ones.
I'll also try Dublin's idea at some point and see how it goes.
Comment #6
kbahey CreditAttribution: kbahey commentedThe session ID is a good unique identifier.
So, we could use the Session ID to identify the original page that we would redirect to.
However, if we use variable_get() this means there will be one entry per session, and on a large site, this can be a) too big, and b) a significant overhead
Unless we delete it from the table upon redirect, which solves a) but worsens b) (more db operations).
Perhaps we can make this a config option. If the site is small, then this is a good option to turn on. If it is a large site, then the site admin should turn this off.
Comment #7
spiff06 CreditAttribution: spiff06 commented+1
Comment #8
kbahey CreditAttribution: kbahey commentedPlease do not change the title. It will make it difficult for others to find the issues.
As for a solution, the patches provided seem to work, but they are overly complex.
I am not going to apply them as is, unless a simpler and cleaner patch arise.
Comment #9
ymcp CreditAttribution: ymcp commentedHas there been any progress on this? It may seem like a minor issue, but it is a real show-stopper for a site that I am trying to port to drupal.
Users are not permitted to see any content without being logged in, so the custom 403 page serves very well as a "welcome, please log in" screen... but when they log in they still see the "please log in" message. They're going to find that very confusing.
Comment #10
kbahey CreditAttribution: kbahey commentedAs far as the solutions mentioned, they are too complex and not simple and clean.
I am waiting for someone to put a better patch, since I am not working actively on this at the moment.
Comment #11
kbahey CreditAttribution: kbahey commentedWhen this patch is in core, it could be the basis of a better solution.
Maybe the previous patch to CustomError can be reworked in the future to use this.
Comment #12
kbahey CreditAttribution: kbahey commentedRedirection is now in core. Check it here http://drupal.org/node/26467
Anyone cares for a patch based on that?
Comment #13
Tobias Maier CreditAttribution: Tobias Maier commentedI'm investigating this issue
as far as I can say now it is _no_ error of customerror its an error of the user-login-block and a little bit of menu_set_active_item()
(the form-destination is set to the URL of the error-page)
maybe youll get a solution today.
but this will affect the core.
i dont want to change the Project/component by now.
but if I have a solution
cu tobias
Comment #14
Tobias Maier CreditAttribution: Tobias Maier commentedI found a solution
1. As I mentioned this is no error of customerror!
2. this is a bug and no new feature witch should come (because it is done the right way if you are not using any other errorpage
the patch adds the line
$_REQUEST['destination'] = urldecode(substr(drupal_get_destination(),12));
to drupal_access_denied()
--> the $_REQUEST['destination'] is now set before user_block() asks for destionation
Ciao Tobias
Comment #15
kbahey CreditAttribution: kbahey commentedThe patch is garbled (DOS editor?)
Here is the same patch in a proper format so others can review it.
What I do not like is the 12 in the substr. This kind of hard coded numbers has to be at least documented so it can be changed in the future if need be.
Comment #16
Tobias Maier CreditAttribution: Tobias Maier commentedi dont like it too
but this was the fastest way to do it :D
here comes a new patch
but this changes drupal_get_destination() a little bit
cu tobias
Comment #17
moshe weitzman CreditAttribution: moshe weitzman commentederlinofchaos has a more current patch on this in the queue