I created two watchdog notices: One in user_access (showing $string and result: true/false) and one in the hook_user "load" (showing roles returned) operation. I logged in as user in question, went to groups, clicked on "create link", got "Access denied". One of the roles that is returned by the og modified $user->roles gives this user the permission to "create link". The watchdog entries verify that for the url in question: /node/add/link?gids[]=29, the correct roles are returned in $user->roles and the correct access in user_access. Yet access is denied. Does the following bit of information provide a clue?: When I load the "devel" module, and give this user access to it (through access control), the user does not receive "Access denied" message when clicking on "create link". If I go into access control, and remove permissions for "devel" module, the user still continues to be able to "create link". However, if as admin I delete the cache, run cron.php, logout and log back in as user, the "Access denied" message returns. It seems that if this is a cache problem, clearing the cache doesn't appear to resolve it. I really appreciate any insight. I've been working on cracking this for 8 months now. It's driving me nuts because there must be something somewhere, either in user_access or node_access or some other hook that's if I only knew I could correct the problem. Thanks so much! David Metzler wrote:
Thinking about this maybe the problem is user_access, not the roles themselves. Check out the user_access function in user.module. Note that is uses a static variable caching mechanism, so it may have already determined the results of "user_access" before you've modified the roles. (It would need to in order to route the request and check access permissions).
One way to check would be to call user_access immediately after you set the roles, and see if it gives you the proper result, (in your watchdog or debug files).
The bad news is that I don't really know of a good way to solve this if that's the case. I'm afraid that we need a hook_user_access in core in order to implement this. Either that or an added parameter to force user_access to ignore the cache.
Here's hoping I'm wrong :).
Dave
On May 21, 2007, at 3:39 PM, Ron Parker wrote:
Thanks so much for the reply. Here's what I tried in hook_init:
function og_user_roles_init () { global $user; $roles = og_user_roles_all_roles($user); // This returns normal $user->roles and includes OG roles if any $user->roles = $roles; $displayRoles = implode(",", $roles); if ($user->uid) watchdog('og_user_roles', 'user roles = ' . $displayRoles); // Show this in log if it hits. }
Here's what I tried in hook_user:
// Add the group roles to $user->roles if this is a group // This should only be effective until the next global $user call if ($op == "load") { $roles = og_user_roles_all_roles($user); // This returns normal $user->roles and includes OG roles if any $user->roles = $roles; } // end $op load
I looked at the watchdog and my own debug file, and the correct roles are being returned each and every time. My guess is that $user->roles is doing what it should, but there is something else happening in the node/add (http://www.mysite.com/ node/add/link?gids[]=29) process that doesn't depend upon $user->roles that is causing the access denied error.
Again, any clues would be much appreciated.
-ron
David Metzler wrote:
I've run into similar problems with using user_load to alter user_data. User_load doesn't fire as often as you might think it does due to some caching strategies. To prove this, place a drupal_set_message call in your user_load trap and see when it fires. It may not be firing on the page where you're getting the access denied errors.
To solve my problem I had to move user alteration into the init hook.
It may be that there's core bug here, but I haven't yet tracked it down since the init hook solved my problem.
I never did find out why user_load wasn't firing. On May 15, 2007, at 11:56 AM, Ron Parker wrote:
A few weeks back I floated my og user roles module idea on this list as instructed by CVS Admin. This module (http://drupal.org/ node/87679) is designed to assign roles to OG group members that are specific to the groups they are in. The problem was that I had to patch the core user.module in order to get it to work.
After a couple of suggestions, I decided to formulate a proposal for a Drupal hook. What I thought made the most sense was either a user_access hook or a $user->roles hook because what I wanted to do was add roles to the site wide roles returned by $user-
roles. user_access (which returns permissions allowed according to roles) is called by node_access which is what determines access on a node/ add.
I recently proposed a $user->roles hook (http://drupal.org/node/ 143393), and someone pointed out that I could accomplish the same thing by using the existing hook_user "load" operation. They were right. I modified my module to add the appropriate roles to the user object using hook_user "load" and in testing, it appears that $user->roles now returns the OG group as well as the site wide roles when a user is in a group.
However, on a group node add, for example, http://www.mysite.com/ node/add/link?gids[]=29, my user gets an "Access denied" error. I wrote a little debug program that writes out the values returned by my hook_user "load" addition, and every time it's called it returns the correct values.
node_access would be the access control for a group node add. I have examined the code closely, and this is the only code that would be executed on a node "create":
// Can't use node_invoke(), because the access hook takes the $op parameter // before the $node parameter. $module = node_get_types('module', $node); if ($module == 'node') { $module = 'node_content'; // Avoid function name collisions. } $access = module_invoke($module, 'access', $op, $node); if (!is_null($access)) { return $access; }
This code would then call "node_content_access" (hook_access for node), which would use "user_access" (thus calling global $user, thus invoking my modification) to determine access.
So, I'm at a complete loss as to why I would get an "Access denied" error for a group role. I need some help!
The only thing I have noticed which seems to give me a clue is that when I load the "devel" module and give users access, everything works. But, I can't figure out what the devel module is doing that would cause this.
Any hint, clue or anything would be appreciated. Thanks!
-ron
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com
__________ NOD32 2277 (20070518) Information __________
This message was checked by NOD32 antivirus system. http://www.eset.com
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com
__________ NOD32 2285 (20070522) Information __________
This message was checked by NOD32 antivirus system. http://www.eset.com
-- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com