[drupal-devel] [bug] User.module links for blocked/non-existant accounts + menu 403/404 issue

killes drupal-devel at drupal.org
Tue Aug 9 18:26:33 UTC 2005

Issue status update for 
Post a follow up: 

 Project:      Drupal
 Version:      cvs
 Component:    user system
 Category:     bug reports
 Priority:     normal
 Assigned to:  Steven
 Reported by:  Steven
 Updated by:   killes at www.drop.org
-Status:       active
+Status:       patch (code needs work)

Changing status.

I think the solution proposed makes sense.

killes at www.drop.org

Previous comments:

Sun, 19 Dec 2004 23:15:49 +0000 : Steven

Attachment: http://drupal.org/files/issues/user.blocked.patch (1.53 KB)

There is a bug in user.module that admins get a "page not found" message
for blocked accounts, even though they should be allowed to see them. I
also think that blocked accounts should return a 403 for non-admins,
not a 404.

The attached patch fixes these problems.

However, in experimenting with possible solutions I uncovered a weird
menu issue. Tracker.module and statistics.module register
"user/N/track". Contact registers a "user/N/contact" tab. These tabs
are dynamic and appear for all paths with the format "user/N". If
"user/N" decides to throw a 403 or 404 then the other tabs will still
appear, as the menu system hasn't changed its location.

You can see this in action at http://drupal.org/user/15396. This
account is blocked.

The cause is that the 403/404 checks for the tabs are each done in
their own menu handler (invoking drupal_not_found() or
drupal_access_denied()), and not in hook_menu. However moving the
checks to hook_menu would mean duplicating this check (and the queries)
across several modules, and we'd have to avoid the menu falling down
from "user/X/Y" to "user" (which has its own tabs, if you're an
anonymous user) if the menu handler is not registered.

Note that if custom 403/404 pages are used, then no tabs will show up
as menu_set_location() is called to move to the custom 403/404 page,
which is located somewhere else on the menu tree.

This is further amplified by the fact that the access rules for the
different tabs are inconsistent (some don't respect admin overrides,
some don't respect blocked status).

We can fix this problem by calling menu_set_location() with some dummy
location in drupal_not_found() and drupal_access_denied(), thus
ensuring we're somewhere else in the menu tree.  In that case, the tabs
won't appear for any 403/404. If we make the access rules across the
different tabs consistent, then what you see in the UI (no tabs) will
match the access rules.

What do you guys think?


Mon, 20 Dec 2004 08:59:45 +0000 : killes at www.drop.org

I'd like this to get fixed, but I think your patch is incomplete for
technical reasons:

***** CVS exited normally with code 1 *****


Mon, 20 Dec 2004 14:30:04 +0000 : Steven

The patch only fixes the 403/404 and does not address the tabs issue
yet, as I was not sure what the best approach was. The "*** CVS" thing
is normal.


Sun, 13 Mar 2005 18:09:42 +0000 : killes at www.drop.org

Doesn't apply anymore.

More information about the drupal-devel mailing list