[drupal-devel] [feature] Authentication hook for local users

nedjo drupal-devel at drupal.org
Sun Sep 11 14:49:17 UTC 2005

Issue status update for 
Post a follow up: 

 Project:      Drupal
 Version:      cvs
 Component:    user.module
 Category:     feature requests
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  naudefj
 Updated by:   nedjo
 Status:       patch (code needs work)

"The fix allows local users (i.e. just "user") to be authenticated
against an external source.

Why?  I assume authentication should be either local or external--not
both.  Therefore, we need a way to distinguish between the two. 
Currently, the username at domain convention is used.  Removing the
@domain part of the DrupalID would remove this disctinction.  Is the
issue just that this convention is confusing for new users?  In this
case, I'd suggest pulling the domain part out into a different field. 
So, when drupal.module is enabled, there is a third user login field,
"site" or "domain", that would include "local" and any registered


Previous comments:

Thu, 18 Aug 2005 20:46:57 +0000 : naudefj

Please implement a hook to authenticate local users - similar to what
hook_auth does for remote users. Alternatively, extend hook_auth to
authenticate both local and remote users.

Current behaviour:
-  If a user logs in with "user at domain", hook_auth gets activated;
-  If a user logs in with "user", hook_auth is bypassed.

More details: http://drupal.org/node/27959


Sat, 20 Aug 2005 20:11:29 +0000 : killes at www.drop.org

use hook_user(login)


Sat, 20 Aug 2005 20:38:53 +0000 : naudefj

I just tried hook_user(login), but it only fires when a valid drupal
userid/password is entered.


Sat, 20 Aug 2005 21:03:38 +0000 : naudefj

I found the reason why hook_auth only works for remote users. Look at
this code from users.module:

 // Try each external authentication source in series. Register user
  // successful.
  else if (!$user->uid && $server) {

Is this something that should be fixed, or should I just comment out
the the "&& $server" part myself?


Sun, 28 Aug 2005 19:03:24 +0000 : naudefj

Attachment: http://drupal.org/files/issues/user_31.patch (1.7 KB)

Here is a patch that will allow HOOK_AUTH to work for both local and
remote users. If would be great if it can be reviewed and applied to


Sun, 11 Sep 2005 05:32:55 +0000 : moshe weitzman

hook_auth deliberately is ineffective for local logins. if you enable it
for all logins, you will slow down the experience for many people who
guess their passwords wrong on login page. in that case, code would
call all remote auth modules an dthey in turn would contact their home
base. thats too slow. we want to return a 'sorry try again' message
very quickly.

what are you trying to accomplish here?


Sun, 11 Sep 2005 06:59:52 +0000 : naudefj


> hook_auth deliberately is ineffective for local logins. 

Not true. HOOK_AUTH cannot be used for local logins. Look at this line
in user.module:
   else if (!$user->uid && $server) {

> what are you trying to accomplish here?

I would like my users to use their existing forum userids and passwords
to login to Drupal. However, I quickly discovered that external
authentication only works if you append a domain/servername to your
userid. For example, if a username like "user*@domain*" is entered,
HOOK_AUTH gets activated. Problem is that if a userid like "user" is
used, HOOK_AUTH will be bypassed. This fix allows local users (i.e.
just "user") to be authenticated against an external source.

Any other solutions/ suggestions would be greatly appreciated!

Best regards.


More information about the drupal-devel mailing list