User argument validator munges $user->roles [#927846]

I've been debugging a very screwy issue with the Workflow module in which the $user->roles array is getting returned as key=>rid rather than rid=>role title, as should be the case. I traced this bug through about a half million functions before finding myself at project_issue_views_user_access(). Specifically, line 1695, which reads:

$arg_uid = $view->argument[$argument_name]->get_value();

The $user object is fine on one side of this line, and is altered on the other side. This breaks Workflow, of course. I was pretty tired of digging by this point, and we decided the easiest solution for us would be to simply disable the Project module and reproduce the functionality we needed in another way.

This appears to happen only on node forms, though I can't swear to that. It seems to be related to the access check for the My Issues menu item, and the argument_name is uid_touch. We're also using OG, so it might be some combination of all three modules which is causing this.

Comments

Comment #1

phl3tch commented 30 September 2010 at 17:41

An addendum. I figured out that I could make this go away by disabling the project_issue_user_projects view. So, there must be something awry in there.

Comment #2

phl3tch commented 30 September 2010 at 17:45

Sorry to dribble this in like this, but the view project_issue_user_issues also appears to be a culprit.

Comment #3

dww

we/he/they

commented 30 September 2010 at 18:37

Category:	bug	» support
Status:	Active	» Postponed (maintainer needs more info)

Sorry, but this makes absolutely no sense. ;) That function is not touching the $user object at all. I don't see how this is a bug in project_issue...

Can you provide some very specific details on how to reproduce this bug on a clean installation with the smallest # of modules enabled? Otherwise, I can't really help you here.

-Derek

p.s. I just looked through some code in views. Can you try turning off the user validation on the user argument in the views and see if that changes the behavior? It's possible that views_plugin_argument_validate_user.inc is the thing breaking the $user object, although even then, that's hard to believe.

Comment #3.0

dww

we/he/they

commented 30 September 2010 at 18:44

Project:

Project

» Views (for Drupal 7)

Unpublishing since it looks like this might be a security bug in views.

Comment #4

dww

we/he/they

commented 30 September 2010 at 18:52

Title:	Project Issue module appears to munge user roles	» User argument validator munges $user->roles
Version:	6.x-1.x-dev	» 6.x-2.x-dev
Component:	Issues	» user data
Category:	support	» bug
Status:	Postponed (maintainer needs more info)	» Closed (duplicate)

Yeah, upon closer inspection, this is definitely your problem:
#832954: global $user->roles get changed by argument_user_validate

Comment #5

phl3tch commented 25 October 2010 at 16:06

Yeah, it's weird, but we've moved on. It had something to do with the Project module. We didn't need that module that much, so we got rid of it and everything works fine now.

Comment #6

dww

we/he/they

commented 25 October 2010 at 17:54

@CrackWilding: You misunderstand comment #4. There was no bug in Project module. The bug was in views, and is now fixed.

Comment #7

phl3tch commented 28 October 2010 at 15:31

Oh, oops. And thanks.

User argument validator munges $user->roles

Comments

Comment #1

Comment #2

Comment #3

Comment #3.0

Comment #4

Comment #5

Comment #6

Comment #7

News items

Our community

Documentation

Drupal code base

Governance of community