When I look at the profiles for my users, all their tokens are exactly the same. I tried resetting all tokens from the admin page. It did reset them to a new value, but that new value is the same for all the users.

What information can I provide to help track this down?

Comments

jmcclure-1’s picture

My wife (who, unlike me, is a serious Drupal user) suggested I add a few details:

This problem happened on a fresh install of Drupal 6.6 with tokenauth. Basically, I installed everything, created a few blog posts, hand-added a few users, and tried tokenauth.

The following modules are enabled on the site:
Blog
Color
Comment
Contact
Database logging
Help
Menu
Path
Profile
Search
Taxonomy
Update status
Drush
Drush package manager
Drush package manager svn support
Drush package manager wget support
Drush SQL commands
Drush toolbox
Token
Token authentication (of course)
Simple Access

alexh’s picture

Category: support » bug
Priority: Normal » Critical

Hello,
I found the same issue and I think it is a bug.

The $uid is not passed properly to the tokenauth_user_profile_form function, and so the token form in the user profile always displays for uid=1, no matter which user profile you have selected. You can notice this also in the title of the page which displays the name of the user with uid=1.

domesticat’s picture

I'm hoping to nudge this a bit (I'd be the spouse of @jmcclure, from comment #1) -- is there anything we can do to provide more info or help debug?

4drian’s picture

Help? Anyone? Moshe? Kind of a complete show stopper surely?

seddonym’s picture

Hello - I got it working by changing a couple of lines of code in tokenauth.module.

I simply made the following changes to the token_user_profile_form function (changed the signature and added a line at the top).

function tokenauth_user_profile_form(&$form_state) {
    
  $uid = arg(1);

For completeness, I also changed line 36 to:

 'page arguments' => array('tokenauth_user_profile_form'),

All it does is get the user id from the url - this works everywhere I need it on my site but it does depend on the form being produced with the URL user/[uid]/tokenauth which may not always be the case...works for me though.

Apologies for not submitting a patch file, I'm not sure how.

moshe weitzman’s picture

Status: Active » Fixed

New release available and alert about to be posted at #413692 (SA-CONTRIB-2009-015) fix Access bypass.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.