Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I'm working on a D7 site that assigns roles using the Shibboleth module's "dynamic" roles assignment and am having issues with those roles not being seen by TAC. What follows is my message and response from the Shib list. Any help would be greatly appreciated.
>when user roles are set dynamically the TAC doesn't seem to see them
>and does not allow the user to see those pages to which I've given
>them access. If I make a role rule sticky (or assign a group
>directly) then the user can see the pages correctly.
>
>I dug around a little and am not totally sure how the dynamic roles
>are being stored, but I'm assuming it's a session variable instead
>of a db variable.Dynamic roles are added to the global $user object run-time.
>Is it possible that TAC only reads db variables
>and therefore does not see these dynamic roles?I don't know TAC, you should probably ask them.
However, it is possible that TAC is invoked _before_ shib_auth and
therefore the role verification happens before the roles could be added
to the user. I don't know, how we can avoid that, hints are welcome.Kristof
Comments
Comment #1
xjmCould you clarify more what it means that TAC can't "see" the roles, and what API Shibboleth is using for these "dynamic" roles? AFAIK there is no
hook_user_roles_alter()...Comment #2
froboySorry for the long delay... project went up using the static roles and I haven't checked back on this.
It seems the problem is that shib assigns these roles by tacking them on the the global $user variable (see http://pastebin.com/zXzht40r). "Sticky" rules are then saved to the db via db_insert('users_roles') but "dynamic" rules simply sit in $user for the session. So, since TAC pulls the user from the db to the the role listing, I'm assuming it's not seeing the roles that are set in global $user.
Does that make more sense? If the shib module is doing this wrong would you have some advice on how to properly implement this?
Thanks.