When a module implements hook_auth to authenticate an existing user, the user_authentication function returns an user object with the wrong values iow it doesn't load the right user.

On line 1009 the user is loaded into $user_register, which calls user_save() when a user doesn't exist yet. This way, the $user object will get filled. However, if the user already exists (thus, it has an uid) the user object remains filled with the 'anonymous' user values, because the lack of an else statement.

This issue exists after commit #100096 by drumm at February 10, 2008 04:28 (Rev. 1.745.2.27)
The patch provided will fix this issue in 5.x-dev.

CommentFileSizeAuthor
20080814-user-authenticate.patch669 bytesAnonymous (not verified)

Comments

liam mcdermott’s picture

liam mcdermott commented
Status: Needs review » Reviewed & tested by the community

Marking #287503: Passwords module not authenticating users as a duplicate of this.

I've also tested this patch and it works fine. Am marking reviewed and tested, as it's only a three line change and looks good, string me up if I'm wrong. ;-)

damien tournoud’s picture

damien tournoud commented
Status: Reviewed & tested by the community » Closed (works as designed)

The behavior is by design: existing users can only be authenticated if they are in the authentication map.

Please see #283026: user_authenticate from external source (for existing users) not working with no server part.