If you log in using CAS from user/login, you of course get redirected back to user/login and get an ugly 'access denied' message after logging in. I'm not sure how Drupal core handles this situation - whether it always redirects users to the homepage or let's you configure a landing page for after users log in - but we should do whatever it does.

CommentFileSizeAuthor
#20 cas-889404-20.patch490 bytesdanepowell
#17 cas-889404-17.patch708 bytesdanepowell
#9 cas-889404.patch757 bytesmetzlerd
#9 cas-889404-6.2.patch755 bytesmetzlerd

Comments

metzlerd’s picture

metzlerd commented

Generally core redirects you to "user" page. But cas already has the ability to specify a different one in the settings page. You're right that we need to get rid of the pesky access denied message, but I wanted you to know about the work around that might work for you.

danepowell’s picture

danepowell commented

I think the setting that you're referring to only applies to the first login by a CAS user.

Anyway, I should probably elaborate a little- we are using Open Atrium, and what is happening is that anonymous users visit <front>, get redirected to user/login?destination=, log in via CAS, and expect to end up back at <front>, but instead land on user/login?destination= again.

However, if instead of visiting the front page, anonymous users visit somepage, they get directed to somepage/user/login?destination=somepage, log in via CAS, and land at somepage as expected.

FYI, I opened an issue with OA as well in case the problem's on their end: https://community.openatrium.com/issues/node/2349

metzlerd’s picture

metzlerd commented

I'm a bit confused by this. Are you using your own cas server or the one provided with the cas module? When you login to cas you should get redirected to the cas server's login page. Is that not happening?

danepowell’s picture

danepowell commented

Sorry, I guess I left out a step - when I say they "log in via CAS" I mean that they click "Log in" on user/login?destination=, get sent to the CAS server to log in, and then get returned to user/login?destination=. The expected behavior would be to get returned to <front>, since the destination parameter is empty and user/login is not a valid destination for a logged-in user in any circumstance.

danepowell’s picture

danepowell commented
Status: Active » Needs review

The problem is that in most cases, the destination is set as the HTTP_REFERER (sic) that led people to the CAS login path. However, there's no guaruntee that the HTTP_REFERER is a valid path for an authenticated user.

I propose the following patch (if you want me to roll this as an actual patch let me know). Insert it in function cas_login_page right before drupal_goto($destination). It checks the $destination (usually the HTTP_REFERER) to make sure that it's a valid path and the current user has permission to access it. If either of those conditions aren't met, the user is instead directed to <front>.

$destination_info = parse_url($destination);
if (!menu_valid_path(array('link_path' => $destination_info['path']))) {
  $destination = variable_get('site_frontpage', 'node');
}
danepowell’s picture

danepowell commented

Yargh- apparently menu_valid_path is buggy - it returns TRUE for the path 'user/login' even though all users (including admin) are denied access. So maybe it's better just to use this:

$destination_path = parse_url($destination, PHP_URL_PATH);
if ($destination_path == '/user/login') {                                
  $destination = variable_get('site_frontpage', 'node');
}
metzlerd’s picture

metzlerd commented

Sorry it's taken me so long to get back to this, but perhaps we should use the user profile page user/%uid. That's the core behavior. It can be altered with the login_destination module IIRC. I should probably also alter the menu link? Make sense?

metzlerd’s picture

metzlerd commented
Version: 6.x-2.1 » 6.x-2.x-dev
Status: Needs review » Fixed
StatusFileSize
new cas-889404-6.2.patch755 bytes
new cas-889404.patch757 bytes

Here's simpler patches for 6.x-2 and 6.x-3 that appear to correct this problem. They mimic the drupal behavior for what happens when you go to user/login page. Commiting these now.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

psmx’s picture

psmx commented
Status: Closed (fixed) » Needs work

You have a typo in there is what im guessing. You probably don't want to set the destination in the if clause:

if ($destination == 'user/login' || $destination = 'user/register') {

should be 

if ($destination == 'user/login' || $destination == 'user/register') {
bfroehle’s picture

bfroehle commented
Status: Needs work » Fixed

Yes, it's been fixed in 6.x-2.x dev already in #1087770: Redirection to user page is forced on login.

bfroehle’s picture

bfroehle commented

I also rolled a new 6.x-2.3 release which fixes this and two other bugs http://drupal.org/node/1126302

danepowell’s picture

danepowell commented
Version: 6.x-2.x-dev » 6.x-2.3
Status: Fixed » Needs work

The original error persists in 2.3. The code I posted in #7 fixes it, the code as committed does not.

bfroehle’s picture

bfroehle commented

Dane: You are right that the existing system is quite fragile, with lots of the problems stemming from HTTP_REFERER. Specifically, the inability to go from HTTP_REFERER back to Drupal path in an accurate fashion really breaks things.

In 6.x-3.x, this has been solved (by replacing the whole redirection system with something more robust similar to what drupal core's user module does).

Expect an initial 6.x-3.x release in the coming days.

danepowell’s picture

danepowell commented

Thanks for the tip, I look forward to trying the new release.

danepowell’s picture

danepowell commented
StatusFileSize
new cas-889404-17.patch708 bytes

Here's the patch corresponding to #7, against 6.x-2.3... I'll let you decide how you'd like to reconcile it.

bfroehle’s picture

bfroehle commented

What about code in cas_init():

  if (user_is_logged_in() && $_GET['q'] == 'user/login') {
    // If user is logged in, redirect to '<front>' instead of giving 403.
    drupal_goto('');
  }

Edit: I mean user/login, not user/register. Corrected above.

bfroehle’s picture

bfroehle commented

This has the benefit of being robust to Drupal installations in subdirectories of the http web root.

danepowell’s picture

danepowell commented
StatusFileSize
new cas-889404-20.patch490 bytes

Seems reasonable, although I somewhat dislike putting anything in hook_init() unless absolutely necessary. I can try it out and let you know how it works.

danepowell’s picture

danepowell commented
Status: Needs work » Needs review

Yep, #20 works great on 6.x-2.3.

Status: Needs review » Needs work

The last submitted patch, cas-889404-20.patch, failed testing.

bfroehle’s picture

bfroehle commented
Status: Needs work » Fixed

Committed. Thanks for the patch.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.