Do not redirect users to their account page when their password is expired when validating accounts. [#1924118]

We logintoboggin to allow users to be logged into their site immediately after registering. We also use this module to force all users to change their password after registering.

New users receive a welcome asking them to validate their account. However, because this module acts on init, and that gets in before logintoboggin is able to validate the email addresses, users get instantly redirected away from the validation url (eg, user/validate/809/1361485476/9huQTwrCr-RJyfPLryhaik3BTvoPxpgRGLu4rfhYldA) and sent to their edit profile page. So, they never get properly validated. The the same is true of the core email validation process at /user/reset/*.

This module should not do the force redirection when on these paths so that users can properly validate/activate their accounts.

Comment	File	Size	Author
#15	1924118-password-policy-hook-expire-15.patch	2.79 KB	erikwebb
#13	1924118-password-policy-hook-expire.patch	2.78 KB	coltrane
#8	924118.8-password_policy-user-validate-with-skip-ajax.patch	1.41 KB	mrfelton
#7	924118.7-password_policy-user-validate-with-skip-ajax.patch	1.22 KB	mrfelton
#5	1924118.5-password_policy-user-validate-with-skip-ajax.patch	1.21 KB	mrfelton
#4	1924118.4-password_policy-user-validate.patch	982 bytes	mrfelton
#3	1924118.2-password_policy-user-validate.patch	876 bytes	mrfelton
#1	1924118-password_policy-user-validate.patch	875 bytes	mrfelton

Comments

Comment #1

mrfelton commented 21 February 2013 at 23:03

Status:

Active

» Needs review

Status	File	Size
new	1924118-password_policy-user-validate.patch	875 bytes

Comment #2

21 February 2013 at 23:06

Status:

Needs review

» Needs work

The last submitted patch, 1924118-password_policy-user-validate.patch, failed testing.

Comment #3

mrfelton commented 21 February 2013 at 23:09

Status:

Needs work

» Needs review

Status	File	Size
new	1924118.2-password_policy-user-validate.patch	876 bytes

typo.

Comment #4

mrfelton commented 21 February 2013 at 23:15

Status	File	Size
new	1924118.4-password_policy-user-validate.patch	982 bytes

They also need to be able to log out!

Comment #5

mrfelton commented 7 March 2013 at 20:29

Status	File	Size
new	1924118.5-password_policy-user-validate-with-skip-ajax.patch	1.21 KB

Following on from #1936688: Do not attempt to redirect users when called from php cli, POST, or system/ajax, I'm adding a couple moe exclusions to this list for php cli and ajax callbacks. Ultimately, as there are actually quite a few exclusions needed, I'd suggest that these should be extracted out into a provate function, as well as potentially providing a hook for other module to add to the exclude path list.

Comment #6

mrfelton commented 7 March 2013 at 20:27

Marked #1936688: Do not attempt to redirect users when called from php cli, POST, or system/ajax as a dupe.

Comment #7

mrfelton commented 15 April 2013 at 12:14

Status	File	Size
new	924118.7-password_policy-user-validate-with-skip-ajax.patch	1.22 KB

Slightly updated versions of the patch to also allow ajax urls for filefields, which can be attached to the user profiles and displayed on the user edit page. Without also excluding these paths from the redirection rule, the filefield widgets do not work correctly.

Comment #8

mrfelton commented 14 May 2013 at 16:01

Status	File	Size
new	924118.8-password_policy-user-validate-with-skip-ajax.patch	1.41 KB

Yet another exclusion needed here. This really needs to be abstracted into something that other modules can easily extend.

Comment #9

fastangel commented 16 September 2013 at 09:48

I think that other solutions is create a hook. Then other modules can implement this hook and return url to exclude. Into module we can implement this hook for exclude core paths (system,....)

What do you think?

Comment #10

erikwebb commented 16 September 2013 at 21:39

I think a hook works, or maybe a variable that has a sane default. I'm not sure we can expect modules to implement this hook consistently.

Comment #11

mrfelton commented 17 September 2013 at 08:04

> I'm not sure we can expect modules to implement this hook consistently

Why would modules implement this hook any less consistently that any other hook?

Comment #12

erikwebb commented 18 September 2013 at 23:15

Good point. Other than Drupal core, what other modules create specific problems here?

Comment #13

coltrane

he/him

commented 28 November 2013 at 00:04

Issue summary:

View changes

Status	File	Size
new	1924118-password-policy-hook-expire.patch	2.78 KB

#8 patch looks good to me but here's a hook approach since for instance I'm pretty sure Bakery won't want to force redirect during bakery auth.

Attached patch moves the arg() checks to new hook 'password_policy_expire_init_run'. I'm not in love with the name. Suggestions welcome. Also, should start an api.txt or api.php file documented hooks like this and how they're used.

Comment #14

erikwebb commented 2 December 2013 at 19:25

I'm thinking hook_password_policy_expire_url_exclude().

Comment #15

erikwebb commented 9 December 2013 at 03:28

Status	File	Size
new	1924118-password-policy-hook-expire-15.patch	2.79 KB

Renaming hook.

Comment #16

deekayen commented 4 June 2014 at 04:10

Status:

Needs review

» Fixed

Comment #17

18 June 2014 at 04:10

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Do not redirect users to their account page when their password is expired when validating accounts.

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Comment #13

Comment #14

Comment #15

Comment #16

Comment #17

News items

Our community

Documentation

Drupal code base

Governance of community