Issue status update for http://drupal.org/node/14591 Post a follow up: http://drupal.org/project/comments/add/14591 Project: Drupal Version: cvs Component: user system Category: bug reports Priority: normal Assigned to: Steven Reported by: Steven Updated by: killes@www.drop.org -Status: active +Status: patch (code needs work) Changing status. I think the solution proposed makes sense. killes@www.drop.org Previous comments: ------------------------------------------------------------------------ Sun, 19 Dec 2004 23:15:49 +0000 : Steven Attachment: http://drupal.org/files/issues/user.blocked.patch (1.53 KB) There is a bug in user.module that admins get a "page not found" message for blocked accounts, even though they should be allowed to see them. I also think that blocked accounts should return a 403 for non-admins, not a 404. The attached patch fixes these problems. However, in experimenting with possible solutions I uncovered a weird menu issue. Tracker.module and statistics.module register "user/N/track". Contact registers a "user/N/contact" tab. These tabs are dynamic and appear for all paths with the format "user/N". If "user/N" decides to throw a 403 or 404 then the other tabs will still appear, as the menu system hasn't changed its location. You can see this in action at http://drupal.org/user/15396. This account is blocked. The cause is that the 403/404 checks for the tabs are each done in their own menu handler (invoking drupal_not_found() or drupal_access_denied()), and not in hook_menu. However moving the checks to hook_menu would mean duplicating this check (and the queries) across several modules, and we'd have to avoid the menu falling down from "user/X/Y" to "user" (which has its own tabs, if you're an anonymous user) if the menu handler is not registered. Note that if custom 403/404 pages are used, then no tabs will show up as menu_set_location() is called to move to the custom 403/404 page, which is located somewhere else on the menu tree. This is further amplified by the fact that the access rules for the different tabs are inconsistent (some don't respect admin overrides, some don't respect blocked status). We can fix this problem by calling menu_set_location() with some dummy location in drupal_not_found() and drupal_access_denied(), thus ensuring we're somewhere else in the menu tree. In that case, the tabs won't appear for any 403/404. If we make the access rules across the different tabs consistent, then what you see in the UI (no tabs) will match the access rules. What do you guys think? ------------------------------------------------------------------------ Mon, 20 Dec 2004 08:59:45 +0000 : killes@www.drop.org I'd like this to get fixed, but I think your patch is incomplete for technical reasons: ***** CVS exited normally with code 1 ***** ------------------------------------------------------------------------ Mon, 20 Dec 2004 14:30:04 +0000 : Steven The patch only fixes the 403/404 and does not address the tabs issue yet, as I was not sure what the best approach was. The "*** CVS" thing is normal. ------------------------------------------------------------------------ Sun, 13 Mar 2005 18:09:42 +0000 : killes@www.drop.org Doesn't apply anymore.