[drupal-devel] [feature] Allow annoymous users to log in on access
denied
willmoy
drupal-devel at drupal.org
Mon Aug 1 05:17:44 UTC 2005
Issue status update for
http://drupal.org/node/24050
Post a follow up:
http://drupal.org/project/comments/add/24050
Project: Drupal
Version: cvs
Component: user system
Category: feature requests
Priority: normal
Assigned to: gordon
Reported by: gordon
Updated by: willmoy
Status: patch (code needs review)
If we implement an option for user/login, it's going to be reasonable
for someone to request an option for user/register (please register to
gain access to premium content/full articles/whatever). Same again for
a dual login/register page.
I'm working on a site with most content behind the login, and I've been
struck by how unenticing user/login and user/register are anyway.
Perhaps adding to the handbook a selection of nicely done, helpful
custom 403s (that maybe tie in to drupal themes) with a good
explanation of how to use them would provide the functionality and help
people make more attractive sites. The form description could include a
link.
The custom 403 on that site shows 'You do not have permission to view
this page' if the visitor is logged in or 'You need to log in' if it's
an anonymous visitor. If they log in, they are sent straight to
whatever page they wanted in the first place. I'd paste it here, but it
wouldn't survive the input check. More than happy to share it, though.
willmoy
Previous comments:
------------------------------------------------------------------------
Wed, 01 Jun 2005 05:51:25 +0000 : gordon
Attachment: http://drupal.org/files/issues/denied_login.diff (1.41 KB)
If the user is anonymous, then the user will be presented with the login
page 'user/login' instead of a the 403 default page. If the user then
logins in and has access to the page they will then get redirected to
the page they were trying to access. If the user is already logged in
then they will get the defined 403 page.
With the standard system you cannot just set user/login as the 403 page
as you will not be redirected to the page that you were originally
requesting, but instead to the user page.
------------------------------------------------------------------------
Sun, 05 Jun 2005 00:22:06 +0000 : gordon
Attachment: http://drupal.org/files/issues/denied_login2.patch (3.43 KB)
here is a newer version of the patch which adds an option to
admin/settings page so this functionality can be turned off and on.
------------------------------------------------------------------------
Sun, 05 Jun 2005 01:38:39 +0000 : moshe weitzman
I have been wanting this since i first saw drupal (i.e. a long time). +1
------------------------------------------------------------------------
Sun, 05 Jun 2005 10:29:05 +0000 : Dries
Because the 403 page is configurable, this is already possible. This
patch only makes it more convenient. I tempted to say: "Won't commit,
but let's extend the form description a bit so it is clear this is
possible.". That or we add a link to the login page (without the extra
setting), cfr. to what the comment module does.
------------------------------------------------------------------------
Sun, 05 Jun 2005 12:06:40 +0000 : moshe weitzman
dries - upon executing the 403 handler, the original $_GET['q'] is lost.
That means that we cannot redirect to the destination page after login
and thats one of the main benefits of this patch.
------------------------------------------------------------------------
Sun, 05 Jun 2005 12:40:57 +0000 : gordon
Yes you can use the user/login link, but once you login you get the user
page and not the page you were triing to get to. Also if you are logged
in you will still get the user/login page when really you should get the
custom access denied page.
------------------------------------------------------------------------
Sun, 05 Jun 2005 20:57:20 +0000 : slower
What version of Drupal is this for? I'm using 4.5.
------------------------------------------------------------------------
Sun, 05 Jun 2005 23:47:19 +0000 : gordon
It is for cvs (4.7) I would have to rewrite it if I was to port it back
to 4.5
------------------------------------------------------------------------
Mon, 13 Jun 2005 23:49:02 +0000 : gordon
Dries, What is the verdict on this patch.
I have found no way of prompting anonymous users to login and continue
seemlessly without this patch. Please correct me if I am wrong, as this
is some functionality that I require.
------------------------------------------------------------------------
Tue, 14 Jun 2005 01:00:12 +0000 : neofactor
Glad to see it...
I had always just added the following custom pages:
http://neofactor.com/error403 (with a login link)
http://neofactor.com/error404 (Adding the auto search)
My 403's are only for non-members and all members have the same access.
I use PHP to control groups differently for lots of different clients,
so this works out well form me.
The auto redirect function is nice.... keeping the user's initial
request in place.
hey.... When is Drupal going to add images to pages at core? Visual
appeal.... It would be great if menu items and other areas started to
do this... then people could just swap them out. Just a wish list.
;)
------------------------------------------------------------------------
Tue, 14 Jun 2005 03:02:01 +0000 : gordon
Just adding the pages does work, but does not give the effect that I
need. You can always use the login box on the sidebar, which will do
the same thing.
You said that the 403's aren't used to logged in users as they have the
same privledge, But not everyone has the same privledge on your site
(unless everyone has the same rights as user 1 ;-))
So what if a user who is already logged in goes to /admin you do not
want to tell them that they need to login to get to the admin page, you
want to send them to a big go away page.
------------------------------------------------------------------------
Tue, 19 Jul 2005 11:34:19 +0000 : jjeff
Before I saw this thread, I posted another take on this bug at
http://drupal.org/node/26659. It explains the problem a little more
in-depth.
Here's the thing: What makes Drupal sites look like Drupal sites is
that they've got a login/password box on every page until the user is
logged in. For Drupal to become a mature platform, it's going to need
to move away from dependence on this crutch. Drupal should provide the
infrastructure to allow the option of a simple "Login/Register" link.
However, if a user gets an access denied message, they should be
prompted to log in.
As it is, the best that you can do after login is direct them back to
the node that defines the "Access Denied" message. This is more than
just confusing for the user. It's downright wrong!
Dries, please reconsider this patch and/or some variation that solves
this problem. It is essential for all current versions of Drupal.
Thanks,
Jeff
------------------------------------------------------------------------
Tue, 19 Jul 2005 11:52:21 +0000 : Kobus
In concept, a definitive +1 from me. Especially the mention that the
login box does not even display unless the user has to log in. I have
started to remove the block completely and put it in a menu somewhere
else so that it is not so obtrusive. For a commercial site, the
exaggerated login page makes it look "as if you have something to
hide". Not good.
Regards,
------------------------------------------------------------------------
Mon, 25 Jul 2005 14:57:15 +0000 : Steven
You say you can't use a custom 403 page because it doesn't know where it
came from... so, why not set a destination parameter instead? I think
all that needs to be done is set $_REQUEST['destination'] = $_GET['q']
before calling menu_set_active_item() in drupal_access_denied().
Probably the same for drupal_not_found().
The destination is then picked up by the login-block which adds
destination=drupal_get_destination() in the form's action.
------------------------------------------------------------------------
Mon, 01 Aug 2005 02:59:07 +0000 : gordon
The login block already picks up the correct page. but there are some
people who do not want to have a login block on the site, but use a
link to the login page to allow a user to login.
Also having getting users to enter in PHP code to solve this problem
IMO makes Drupal very unfriendly (in this area) as it will require the
admin to know a lot more about PHP than they should need to.
I have still not been able to user standard configuration options to
achieve this.
More information about the drupal-devel
mailing list