Closed (fixed)
Project:
Token authentication
Version:
6.x-1.0
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
1 Dec 2008 at 18:35 UTC
Updated:
8 Apr 2009 at 19:20 UTC
When I look at the profiles for my users, all their tokens are exactly the same. I tried resetting all tokens from the admin page. It did reset them to a new value, but that new value is the same for all the users.
What information can I provide to help track this down?
Comments
Comment #1
jmcclure-1 commentedMy wife (who, unlike me, is a serious Drupal user) suggested I add a few details:
This problem happened on a fresh install of Drupal 6.6 with tokenauth. Basically, I installed everything, created a few blog posts, hand-added a few users, and tried tokenauth.
The following modules are enabled on the site:
Blog
Color
Comment
Contact
Database logging
Help
Menu
Path
Profile
Search
Taxonomy
Update status
Drush
Drush package manager
Drush package manager svn support
Drush package manager wget support
Drush SQL commands
Drush toolbox
Token
Token authentication (of course)
Simple Access
Comment #2
alexh commentedHello,
I found the same issue and I think it is a bug.
The $uid is not passed properly to the tokenauth_user_profile_form function, and so the token form in the user profile always displays for uid=1, no matter which user profile you have selected. You can notice this also in the title of the page which displays the name of the user with uid=1.
Comment #3
domesticat commentedI'm hoping to nudge this a bit (I'd be the spouse of @jmcclure, from comment #1) -- is there anything we can do to provide more info or help debug?
Comment #4
4drian commentedHelp? Anyone? Moshe? Kind of a complete show stopper surely?
Comment #5
seddonym commentedHello - I got it working by changing a couple of lines of code in tokenauth.module.
I simply made the following changes to the token_user_profile_form function (changed the signature and added a line at the top).
For completeness, I also changed line 36 to:
All it does is get the user id from the url - this works everywhere I need it on my site but it does depend on the form being produced with the URL user/[uid]/tokenauth which may not always be the case...works for me though.
Apologies for not submitting a patch file, I'm not sure how.
Comment #6
moshe weitzman commentedNew release available and alert about to be posted at #413692 (SA-CONTRIB-2009-015) fix Access bypass.