Download & Extend
Persistent Login » Issues

Conflict with Core - Node author field autocomplete

Posted by gapple on October 27, 2010 at 1:26am
Project:Persistent Login
Version:6.x-1.4
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:active

Issue Summary

The default path filter for pages requiring a login includes user/*/*, which matches /user/autocomplete/*. As a result, if the user has not logged in to a secure page previously in their session, the autocomplete call returns a big, ugly, javascript notice including the entire HTML output of the login required page.

Login or register to post comments

Comments

#1

Posted by gapple on November 26, 2010 at 2:55am

My thoughts:

a) Code an exception for autocomplete paths
Allow paths matching /autocomplete/[^/]+$ to pass by the secure pages filter.

b) Allow user-specified exceptions to the secure pages filter
I would like to keep the user/*/* value so that the entire path hierarchy is kept secure, but allow the single path user/autocomplete/* to not require login.

c) Return JSON output.
I'm not sure there is a way to detect which paths will return a JSON response, but PL could then return either an empty response for the autocomplete (and not bother the user with an error), or provide a readable error message (but then how does the user avoid the message?).

#2

Posted by amanire on December 1, 2010 at 8:24pm

I'm experiencing this error on the core author field too and also on a custom form.

But interestingly, it does not appear to occur for CCK User Reference autocomplete text fields at

/userreference/autocomplete/[field_fieldname]/[char string]

#3

Posted by gapple on December 2, 2010 at 1:47am

@amanire
re: user reference fields
That's clearly an effect of the path matching: /userreference/* does not match the /user/*/* pattern.

#4

Posted by amanire on December 2, 2010 at 7:21pm

@gapple I see. And it's /user/autocomplete/* on my custom form that is throwing the error. The module should definitely exclude the path by default since this is not an intuitive exception to add.

Would that create a possible security hole for a username of "autocomplete"? I wonder if the real problem here is the collision with the core autocomplete path and the user path? Not a likely patch but maybe worth addressing in Drupal 7? I'm just thinking out loud here.

#5

Posted by amanire on December 3, 2010 at 5:18pm

For an immediate remedy, I set Pages which require an explicit login to exclude:

user
user/*/edit*
user/*/address
cart/checkout
admin/settings/persistent_login

I realized this doesn't protect the "entire path hierarchy" but what paths would I be missing that would introduce insecurities?

#6

Posted by gapple on October 28, 2011 at 3:57pm

marked #1323776: Default value of PERSISTENT_LOGIN_SECURE_PATHS breaks AJAX as duplicate