Invite's registration access control conflicts with LDAP Provisioning module
| Project: | Invite |
| Version: | 6.x-2.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Problem:
Invite module has this nifty "New user registration by invitation only." setting which is exactly what we need. I've tested it out and it seems to work great. However, as soon as I bring LDAP Provisioning module into the mix (LDAP Provisioning is a module that creates a user record in an LDAP database for each new user registration on the Drupal side), this access control goes away. If I manually enter /user/register, even on a new browser that I'm quite sure doesn't have an invite code in my session, I'm able to access the form. Not good!
The cause (I think):
I looked through the code of both modules, and the place I think the issue comes in is that Invite module's access control is happening in hook_form_alter(), the same place that LDAP Provisioning module is doing its "Add a bunch of fields to the user registration form" stuff. (Side note: I have a feeling that this behaviour is not particularly unique to LDAP Provisioning module, and could in fact happen with any module that's hook_form_alter()ing the user registration form.)
The solution (possibly!):
Invite module should be denying access to the user registration form at the menu callback level, not at the form level.
#1
Here's a concept patch that definitely needs another set of eyes on it, but seems to solve the problem for me.
#2
...and much more D6-style, too! Essentially, I've modified two things:
- allow overriding the menu access handler only if no other module has changed it
- the default access handler user_register_access() still needs to be called after we're done with our checks.
I felt brave and committed the attached patch.
#3
Automatically closed -- issue fixed for 2 weeks with no activity.