External user authentication broke in 5.8 update
| Project: | Drupal |
| Version: | 5.8 |
| Component: | user.module |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | duplicate |
Decided to see how updating my site to 5.8 would go and sure enough there was at least one issue! ;-)
I use hook_auth to validate user logons and once with 5.8, all user logons that went thru my hook_auth were failing, even though that hook_auth was returning true.
I dug around in user.module (user_authenticate), diff-ing between 5.7 and 5.8 to see what changed and I found the problem. In the invocation of hook_auth, upon success $registered_user is set to user_load($name), but the return value $user is only set if the registered_user is new and thus $user becomes user_save's returned value.
Is this a bug or a deliberate design change?
Attached is a patch of my 'solution' to this..
If my patch isn't correct, am I supposed to be setting global $user in my hook_auth then?
Thanks
~R
| Attachment | Size |
|---|---|
| user_authentication.patch | 299 bytes |
#1
I'm sorry, when I asked "Is this a bug or a deliberate design change?", I should have added "or my own ignorance of how to properly do this?"
#2
@reubidium: your solution would lead to "trusting" remote authentication to login all local users, even those that were not didn't originate from remote authentication, for example your user #1!
Drupal 5 currently does not properly support remote authentication if your users don't have a server part (ie. if there are not in the form user@server). I published a patch for this in #283026: user_authenticate from external source (for existing users) not working with no server part.
#3
Thanks Damien..
I have a situation where I cannot use authmap in its intended fashion and need hook_auth to validate a user authentication.
Taking your advice, I rethought my code and wanted to submit a new patch. I now have it grant access only if the uid is >1 and the local user status is 1. Would love any feedback.
Thanks,
Reuben
#4
That's a hack, this is not the way external authentication is supposed to work, and surely cannot be a general solution.
If you want to hack properly, please see the code in the
ldap_authmodule. There are some clever tricks there on how to change core's behavior without hacking into it.#5
very educational, thanks damien..
(freely admit to the hack status.. at that point with drupal where i know enough to be dangerous ;-)