I found this while debugging a strange error message that originally seemed to be caused by the img_assist module, but on deeper inspection turned out to be caused by an interacction between the user and taxonomy_access modules.

I am running Drupal 4.6.5 and the latest image and image_ast modules for 4.6, and taxonomy_access.

The cause of my error stems from a problem with an interaction between the "taxonomy_access" and the "user" modules, and arises when someone tries to login with an incorrect password. Here's what happens:

1. I have used image assist to upload images which I then include in my page design. I have created a custom block that includes the following code:
[img_assist|fid=37|thumb=1|alt=Chico Interrogación].

2. When a user trys to log in using an incorrect password, the "user_login" function is called, which in turn calls "user_authenticate", which in turn calls "user_load", which attempts to load the user. The sql which searches for the user (based on login name and password) returns an empty set (remember, I'm discussing the case where the user enters an incorrect password). When this happens, the following line is executed within "user_load": $user= new StdClass(); - i.e. an empty object - and immediately afterwards: return $user;. This passes control back to user authenticate, which assigns this empty object to the GLOBAL $user variable. Prior to this, the global $user was not an empty object, but had several attributes, incluiding $user->uid = 0, and $user->roles[1]="anonymous userj". These attributes are therefore gone after this point.

3. Execution continues normally, until the blocks are loaded, and in loading my custom block a call to img_assist_load_image is made. Because the image is a node, before the image can be loaded a call to node_access_grants is made while constructing the sql. Within this function, the GLOBAL $user (which is now an empty object) is passed through "module_invoke_all" down to "taxonomy_access_node_grants". The content of this short function is as follows:

function taxonomy_access_node_grants($user, $op) {
return array('term_access' => array_keys(is_array($user->roles) ? $user->roles : array()));
}

Given that $user is empty, the output of the function is an array whose key is 'term_access', and whose value is an empty array. Normally, for an anonymous user, the key would be 'term_access', and the value would be an array[1]="anonymous user".

4. To make a long story shorter, the function _node_access_where_sql (in node.module) would normally generate the following where clause segment in the case of an anonymous user: "na.grant_view = 1 AND CONCAT(na.realm, na.gid) IN ('all0', 'term_access1')" . However, in this situation, the 'term_access1' is left out, which causes the sql generated for img_assist_load_image to return an empty set instead of the path to the image. A subsequent call to getimagesize generates an error, as it is passed an incorrect path.

Possible solutions:
a. Modify taxonomy_access_node_grants so that if $user is empty, it automatically assumes a role of anonymous user, and thus would return array['term_access'][1]='anonymous user'.
b. Modify user_load so that it doesn't wipe out the GLOBAL $user variable when an incorrect password is entered
c. Modify node_access_grants to detect whether GLOBAL $user is empty, and if so, set $user_object->roles = array(1 => 'anonymous user')

I'm not familiar enough with these three modules (taxonomy_access, user, node) to know what the impact of each of the proposed solutions, so I'm hoping one of the owners can suggest a solution.

Thanks!

Comments

keve’s picture

keve commented

Nice investigation. Thanks.

I do not know if in user.module it is a bug or it was intentional that after incorrect password $user object is empty. Did you check it w/ Drupal 4.7?

Did you submit a bug report for user.module? I think it would be the best way to find out the opinion of the developer of the module.

If it is not a bug in user.module and it is intentional, of course, i will correct it in TAC module. It does not seem complicated. :)

sja1’s picture

sja1 commented

Hi, I've taken your advice and posted this same error as a bug on the user.module: http://drupal.org/node/59116. As I'm still working on my first 4.6 site, unfortunately I haven't had time to install 4.7, so I'm not sure if the behavior exists there as well.

As a post-script, I eventually modified taxonomy-access (solution (a) from my original post), as I figured a change there would be least likely to cause unwanted side-effects in other parts of drupal. So far it's working fine.

Cheers,

keve’s picture

keve commented

Can you provide a patch for TAC that solve your problem?

I checked, this problem occurs only in drupal4.6.
It is solved in Drupal4-7 RC3.

sja1’s picture

sja1 commented

I haven't learned how to make patch files yet, but the change is a simple one. The modified code follows:

function taxonomy_access_node_grants($user, $op)  {
  /*YAQ Mod 060410 - fixed problem (logged in node/58097) 
     when user enters incorrect password during login */
  return array('term_access' => array_keys(is_array($user->roles) ? $user->roles : array(1 => 'anonymous user')));
}
keve’s picture

keve commented
Status: Active » Fixed

Thanks for the code. I commited it.

sja1’s picture

sja1 commented

Youŕe very welcome!

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)