As a result of http://drupal.org/node/176342, a reset parameter was added to the user_access() syntax in order to issue a command to unset the $perm variable.

This worked because your next call to user_access() would now use the refreshed $perm variable.

As of Drupal 6.5, this does not appear to be working in quite the same way. See my comments here: http://drupal.org/node/325437#comment-1076214

This is happening when user_access() is called by module_invoke().

Now, in this case, if you issue the user_access('', NULL, TRUE) command, then iwhen user_access() runs again, the $perm variable will contain only the permissions from the default roles (i.e., no dynamically created roles), thus removing the purpose of the modification in the first place.

Now, at this point, I'm not 100% sure if this problem is caused by the user.module itself, or some other module which is manipulating the $perm variable. But, if it is in the user.module, I really, really need some help in resolving it.

In short, the problem as I see it: incorrect permssions are being cached by the $perm variable (that is, they do not reflect the roles in the $user object at the time user_access() is initiated), and they can not be correctly "flushed" by the "reset" command (the next time user_access() is ran, the permissions in $perm do not reflect the current roles in the $user object). So, the "reset" command actually saves the correct permissions, but they are overridden the next time user_access() is ran.

Help!

Comments

somebodysysop’s picture

somebodysysop commented

I've written a bunch of debug code in the user, node and ogur modules and now have more details. I am printing the output of user_access every time it is called.

When I issue: 

user_access('ClearCache', NULL, TRUE)

Static $perm variable is cleared and re-filled with permissions from current $user object. This is correct.

When module_invoke is immediately executed next:

module_invoke('node_content', 'access', 'create', 'story', $user)

This will now execute another call to user_access:

user_access('create story content', $user)

The $user object still contains the same roles. The $perm variable now contains values. But the values in $perm are NOT the same as those inserted during the ClearCache call above! They have changed, and NOT from the user_access function (which I am monitoring)! So the question is: Why has this $perm value changed?

So far, I've found this behaviour occurs with OGUR when one of the following is installed:

taxonomy_access
tac_lite
menu_breadcrumb
admin_menu

I so far am unable to discover what it is about these modules which is causing this problem.

This did not occur in 5.x and earlier 6.x versions of Drupal.

Please, please, please help!

somebodysysop’s picture

somebodysysop commented
Status: Active » Needs review

Bug in user_access function: http://drupal.org/node/329646

This bug prevents the reset mechanism from working properly. Resolved in 6.x with this patch: http://drupal.org/files/issues/329646-user-module-reset-d6.patch

ainigma32’s picture

ainigma32 commented
Status: Needs review » Fixed

Solution provided so I'm setting this to fixed.

- Arie

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.