Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I just tried to use the user_edit form programmatically and ran over some arg(1) calls in hook_user(), which fail if the form is executed programmatically.
While fixing that I also ran over a similar issue for the user registration form validation - again arg(1) is used during validation.
Attached is a patch which fixes both - validation for the user_edit and user_register forms. It also simplifies the code a bit :)
Comment | File | Size | Author |
---|---|---|---|
#44 | user-arg2account-109588-44-D6.patch | 2.59 KB | cdale |
#41 | user-arg2account-109588-41-D6.patch | 2.66 KB | cdale |
#38 | user-arg2account-109588-38-D7.patch | 2.82 KB | cdale |
#28 | user-arg2account-109588-28-D7.patch | 2.15 KB | cdale |
#27 | user-arg2account-109588-27-D7.patch | 2.15 KB | cdale |
Comments
Comment #1
jpetso CreditAttribution: jpetso commentedI did a short code review and tested if everything still works, and it looks fine to me. It doesn't cause a change in functionality, except that programmable executions work with this patch. api.drupal.org shows no further usages of user_edit_form() (the only public function whose parameters have changed) apart from the ones that have been ported. The code is even a bit cleaner than before.
I can't see any obstacles for this patch being applied.
Comment #2
fluke CreditAttribution: fluke commentedThis patch also fixes the problem that example for drupal_execute use user_register and they fail to report duplicate user name registrations, getting a database error instead. (Unless you happen to be using a url which has register as arg(1).)
Comment #3
sunIt seems to me that the following actions have to be tested:
Comment #4
drummI would like to get a patch of this size in the development version first. The patch no longer applies cleanly there.
Comment #5
fagohere is a patch for drupal 6. The code is already a lot better in 6.x, however the function calls in user_user() still use arg() and let a programmatic account form execution fail. The attached patch fixes that.
Furthermore I noticed that for user registration _user_edit_validate() was called with 'register' as $uid. That resulted only in one unnecessary user_load(), otherwise things were working. I fixed that code and made $uid optional with $uid = FALSE. Perhaps not the cleanest way, but already a lot better than before.
I've successfully tested all above cases with the patch applied.
Comment #6
birdmanx35 CreditAttribution: birdmanx35 commentedJust wanted to let everyone know that this still works against HEAD.
Comment #7
iaminawe CreditAttribution: iaminawe commentedIs this the patch to apply so that it does not try and validate username when submitting the account edit page in pageroute?
Where do I apply this patch please
Thanks
Comment #8
iaminawe CreditAttribution: iaminawe commentedCan anyone point me in the right direction to apply this patch please? Sorry to bump this again but still need to apply this and am a little confused about where....
Thanks
Gregg
Comment #9
iaminawe CreditAttribution: iaminawe commentedany other newbies with similar problem ... try this link... http://s5.video.blip.tv/1690000331669/Add1sun-ApplyingPatchesToCoreDrupa...
A good introduction to patching and this patch works perfectly to fix the annoying page route edit account issue.
There is so much to learn about Drupal...
Comment #10
cdale CreditAttribution: cdale commentedThis bug not only breaks users made with drupal_execute, but it also prevents modules from using hook_menu_alter to modify the path to the user/edit page, or for modules like 'me' alias where I've used the flexibility of D6 to intercept the %user* loaders and switch out 'me' with the current users uid.
Why do these functions not simply pass on the uid from the account object, instead of trying to get it back out of the request? In fact, why not pass on the entire account object? This would remove a couple of DB hits form the user_load also.
I've re-rolled the above patch with a few minor changes. Please review this so that it can get fixed! :)
Comment #11
cdale CreditAttribution: cdale commentedVersion bump.
Comment #13
cdale CreditAttribution: cdale commentedApparently, TortoiseCVS 'make patch' messes up the 'Index' at the top of diff files. Command line it is from now on. :)
Comment #15
cdale CreditAttribution: cdale commentedLets try again...
Comment #16
sunI think we use $account in such cases, not $user, to prevent unwanted altering of the global $user variable (not [yet!] related to the code this patch touches).
Aside from that, this patch looks good.
Comment #17
cdale CreditAttribution: cdale commentedRe-roll with sun's suggestion.
Comment #18
cdale CreditAttribution: cdale commentedMore consistent re-roll/back port for D6.
Comment #20
cdale CreditAttribution: cdale commentedWell that wasn't very clever now was it. Lets see how this goes. :)
Comment #22
cdale CreditAttribution: cdale commentedBah. I don't know why I also attached the D6 version that time....
Comment #23
Dave ReidProbably don't try to name your patch ".patch.patch"...
Comment #24
Dave ReidCross-posted status
Comment #25
cdale CreditAttribution: cdale commentedCheers for that Dave. I didn't even notice I had named it patch.patch. :) Would explain it all though. I'll be more careful in future.
Comment #27
cdale CreditAttribution: cdale commentedRe-roll. Not sure why this failed.
Comment #28
cdale CreditAttribution: cdale commentedForgot to do a CVS update before making the patch.
Comment #29
netbear CreditAttribution: netbear commentedfound these strings in this patch, I think there should be:
Comment #30
cdale CreditAttribution: cdale commentedIf you look further into the patch, you will see that the function _user_edit_validate is also modified, so the patch is correct as is.
Comment #31
netbear CreditAttribution: netbear commentedsorry, my fault, I missed it.
Comment #32
Damien Tournoud CreditAttribution: Damien Tournoud commentedThis actually looks very good. Only one comment:
For extra consistency, that first
user_access('change own username')
should beuser_access('change own username', $account)
(but it should go after !$uid, because I'm not sure user_access() will work with a partial user object).Comment #33
cdale CreditAttribution: cdale commented@ Damien I'm not so sure about changing to
user_access('change own username', $account)
. That to me does not make sense.Shouldn't that permission be checked against the currently logged in user? Unless I'm mistaken, only users with the 'administer users' permission will be able to edit an account that is not their own anyway.
For me changing this would make the code feel less intuitive, as I would read it as "I'm allowed to change the username of an account that I am editing, so long as the owner of the account is allowed to change it".
I'm not against changing this, but I feel it makes more sense the way it is, and I can't see the benefits of changing it. What was your reasoning behind thinking adding the account to user access would make the if test more consistent?
If this is changed here, then it should probably also be changed in user_edit_form.
Comment #34
Damien Tournoud CreditAttribution: Damien Tournoud commented@cdale: it's just for consistency. The check is in three parts. The logical order would be: I'm allowed to change the user name of $account if:
Written as it is, the access check works, but makes really little sense.
Comment #35
cdale CreditAttribution: cdale commentedFair call. Do you think that the user_access('change own username') in user_edit_form should also be adjusted? My initial impression would be yes.
Would you agree with the following check?
if (!$uid || ($GLOBALS['user']->uid == $uid && user_access('change own username')) || user_access('administer users'))
And in the user_edit_form()
if ($register || ($GLOBALS['user']->uid == $uid && user_access('change own username')) || $admin)
Comment #36
Damien Tournoud CreditAttribution: Damien Tournoud commented@cdale: looks really better.
Comment #37
Dave Reid@cdale... aside from using $GLOBALS instead of global $user.
EDIT: Oh nevermind, core does it too. Forgive me. :)
Comment #38
cdale CreditAttribution: cdale commentedRe-roll with above suggestion.
Comment #39
chx CreditAttribution: chx commentedHow did this skip my attention for so long? Yes, yes, YES! arg(X) should die.
Comment #40
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Changing version and status to D6.
Comment #41
cdale CreditAttribution: cdale commentedUpdate and re-roll for D6.
Comment #42
Damien Tournoud CreditAttribution: Damien Tournoud commentedFor D6, it would be better not to change function signatures (I know, those are private core functions, but still... we never know what module authors do with them).
Comment #43
LUTi CreditAttribution: LUTi commentedI am using the patch #41 on my production site for almost 2 weeks now, and don't observe any issues - so, it shall be RTBC, according to me.
Comment #44
cdale CreditAttribution: cdale commentedRe-roll with the suggestion in #42.
Comment #45
Dave ReidBleh, I wish we could change these and not keep the API the same. :(
Comment #46
cdale CreditAttribution: cdale commentedI've been running this patch just fine with no issues. It's seem simple enough to me, the API does not change, does anyone else think this is RTBC?
Comment #47
Damien Tournoud CreditAttribution: Damien Tournoud commentedMakes complete sense, let's move it in front of Gabor eyes.
Comment #48
Gábor HojtsyReviewed closely, looks good, committed to Drupal 6, thanks!
Comment #50
GreyHawk CreditAttribution: GreyHawk commentedGábor Hojtsy --> Does this mean that the patch is in the 6.11 update, or that it is approved but we still have to patch our 6.10 and 6.11 sites...?
Comment #51
cdale CreditAttribution: cdale commentedThis patch was in the 6.10 release, and will be in any subsequent releases, including 6.11.
Comment #52
heacu CreditAttribution: heacu commentedsubscribing