I'm not sure if this is a bug, but it did cause me some confusion for a while so I thought I'd document it.

It's simply this: if you try to view a user that has registered, but has never logged in, you will receive an access denied message (unless you have 'administer users' permission).

Since I have been creating some user accounts automatically (as a by-product of signing up to a mailing list), it took my a while to figure out why I couldn't see the users I'd created.

A simple hook_user was the solution, but I thought it worth raising just in case:

function MYMODULE_user($op, &$edit, &$account, $category = NULL)
  {
    //Users cannot be viewed unless they have logged in at least once.  This sets the database so it looks like they logged in when
    //they registered.
    if ($op == 'insert')
    {
      db_query('UPDATE {users} SET `access` = \'%d\' WHERE `users`.`uid` = %d LIMIT 1', array($edit['created'], $account->uid));
    }
  }
CommentFileSizeAuthor
#4 Screen shot 2011-07-28 at 5.23.02 PM.png173.95 KBareynolds

Comments

tayzlor’s picture

tayzlor commented

This is surely a bug and not 'by design' ? Can confirm i am having this same problem - if you create users through admin who have some profile data, any other user on the site trying to view their profile page gets access denied if the user has not logged in yet. Should they not be allowed to view that user's profile regardless of whether they have logged in or not?

bzzz’s picture

bzzz commented

This checking are coded in User module:

function user_view_access($account) {
  return $account && $account->uid &&
    (
      // Always let users view their own profile.
      ($GLOBALS['user']->uid == $account->uid) ||
      // Administrators can view all accounts.
      user_access('administer users') ||
      // The user is not blocked and logged in at least once.
      ($account->access && $account->status && user_access('access user profiles'))
    );
}

And therefore I have another questions: Why links to not logged in users are available as links? Why it doesn't replaced by simple text?

protoplasm’s picture

protoplasm commented

Issue for me as well. Apparently ongoing issue as well. See http://drupal.org/node/171117#comment-844361 .

areynolds’s picture

areynolds commented
Version: 6.14 » 7.4
StatusFileSize
new Screen shot 2011-07-28 at 5.23.02 PM.png173.95 KB

Just ran across this for my site as well running 7.4. It does seem like an edge-case issue that can be either desired behavior or a bug, depending on how you squint at it. In my case, I'd argue it was a bug. We were inserting content into user accounts that had never logged in. When users clicked on the content authors...boom, access denied. Actually, because we were using Panels to layout profile pages, the result was a bit weirder: an access denied page, with the profile page of the ghost user below in a sort of "mirror" of the site. I've attached a picture to illustrate.

Considered posting to Panels and/or User issue pages, but after seeing this thread, I think I'll just let it lie. Our use case is easily solved (don't insert content into accounts that haven't been initialized).

Version: 7.4 » 7.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.

Status: Active » Closed (outdated)

Automatically closed because Drupal 7 security and bugfix support has ended as of 5 January 2025. If the issue verifiably applies to later versions, please reopen with details and update the version.