[drupal-devel] [bug] Wrong Login Error

Fri Jun 17 06:38:02 UTC 2005

Issue status update for http://drupal.org/node/3962

 Project:      Drupal
 Version:      cvs
 Component:    user system
 Category:     bug reports
 Priority:     minor
 Assigned to:  deekayen
 Reported by:  dziemecki
 Updated by:   deekayen
 Status:       patch
 Attachment:   http://drupal.org/files/issues/blockeduser.diff (1.29 KB)

Just your comments made me see where I went wrong with the previous
patches. I'd never used the access control rules before, so I thought
blocked user == access controlled username.

As far as I could tell, the only place to where a blocked username
check was needed is at login. This patch adds a user_blocked() to just
user.module and has a separate blocked error message from the access
check.

deekayen

Previous comments:
------------------------------------------------------------------------

November 5, 2003 - 21:01 : dziemecki

When a new user logs on after they're ID and password were sent to them,
but before their account was "unblocked", they get the follwoing error:

"Sorry. Unrecognized username or password. Have you forgotten your
password?"

That may or may not count as a bug, but it not entirely accurate, and
might be a little confusing.

------------------------------------------------------------------------

June 14, 2005 - 03:19 : deekayen

I don't mind assigning this one to myself, but I'm not familiar enough
with the function of the access table to complete the patch. Should
blocked users be entered into the access table?

Right now, user.module has a drupal_deny check with the correct error
message, but it doesn't get displayed because the only place a person
gets blocked is in the users table. To be more normalized, I'd just
leave the block in the users table, but does someone intend to move the
user block to the access table?

------------------------------------------------------------------------

June 15, 2005 - 21:37 : deekayen

Attachment: http://drupal.org/files/issues/blockedloginmessage.patch (1.26 KB)

Right now when users are blocked, they're not added to the access table,
so this patch just checks the users table for blocked logins. The check
in user.module's user_login() should work now and give the correct
error message that was there all along.

------------------------------------------------------------------------

June 15, 2005 - 21:45 : deekayen

Attachment: http://drupal.org/files/issues/removeactivereset.patch (882 bytes)

This patch goes with the previous one. Without it, when you edit a
blocked user to make them active again, they remain blocked and the
edit screen shows an error message about the user being blocked. I
don't really know if that's the intended behavior to have blocks be
permanent, but permanent blocks don't seem right to me.

------------------------------------------------------------------------

June 16, 2005 - 09:04 : moshe weitzman

I'm not so sure about this one. We should continue to distinguish
between a 'user block' and a 'host ban'.

------------------------------------------------------------------------

June 16, 2005 - 09:12 : killes at www.drop.org

I agree with Moshe.

I think we should test whether a user hasn't logged in before and then
give a different message then when he got blocked later.