A first-time user who edits their profile is immediately blocked after they submit even if their expire time is set in the future.

Steps to reproduce:
As an administrator, create a new user.
Log out and then log in as the new user.
Go to the user's edit account page.
Edit something (signature for instance).
Submit the form.

What happens:
You'll get an Access Denied page, the user has been blocked.

I think this bug only occurs when the user is created by an administrator, and I think it has to do with the selectAT property used by the module. The bug also does not occur if the administrator edits the user after creation.

CommentFileSizeAuthor
#3 account_expiry-284838.patch1.53 KBcoltrane

Comments

coltrane’s picture

coltrane
he/him
commented

On insert in hook_user() account_expiry_edit() is called without being given $expiry_timestamp. When that variable is NULL the module uses the default expiry which is 943945200 or Tue, 30 Nov 1999 07:00:00 GMT which gets written into the account_expiry table for the user. Now the user has an expire timestamp in the past and I think that during the after_update op of hook_user() the user gets blocked.

coltrane’s picture

coltrane
he/him
commented

Bah, this one is confusing. It's not the insert operation of hook user, I think instead its that since http://drupal.org/cvs?commit=114017 the form_alter doesn't add expiry_date day, month, and year unless you have the right permissions. When those are not added to the form and its submitted the account object in hook_user() does not have $account->day, $account->month, and $account->year so the mktime() in the after_update operation is returning a bad date.

coltrane’s picture

coltrane
he/him
commented
Status: Active » Needs review
StatusFileSize
new account_expiry-284838.patch1.53 KB

The patch wraps the after_update logic into a user_access() check which keeps account_expiry_edit() from being called with a bad timestamp.

hapydoyzer’s picture

hapydoyzer commented
Priority: Normal » Critical

>I think this bug only occurs when the user is created by an administrator

In my installation bug occurs even if user create account himself.

hapydoyzer’s picture

hapydoyzer commented

for me, patch works for both "user create account" and "admin create account".

hapydoyzer’s picture

hapydoyzer commented
Title: Admin-created users are blocked after saving their profile » New users are blocked after saving their profile
hapydoyzer’s picture

hapydoyzer commented
Status: Needs review » Reviewed & tested by the community

Patch is tested with "user create account" for a long time on production site.

adesigns’s picture

adesigns commented

can someone repost this patch...I'm running into problems when i try to patch module file. I've applied patch that was posted here, but still no help. Tried to re do it, and reapplied to original module file and got an error:

patching file account_expiry.module
patch unexpectedly ends in middle of line
Hunk #1 succeeded at 176 with fuzz 1

I hope that error message helps. Can someone post the solution.

Thank you.