[development] OG User Roles: user_access / node add / $user->roles
Ron Parker
sysop at scbbs.com
Tue May 22 19:24:38 UTC 2007
I created two watchdog notices: One in user_access (showing $string and
result: true/false) and one in the hook_user "load" (showing roles
returned) operation.
I logged in as user in question, went to groups, clicked on "create
link", got "Access denied".
One of the roles that is returned by the og modified $user->roles gives
this user the permission to "create link". The watchdog entries verify
that for the url in question: /node/add/link?gids[]=29, the correct
roles are returned in $user->roles and the correct access in
user_access. Yet access is denied.
Does the following bit of information provide a clue?:
When I load the "devel" module, and give this user access to it (through
access control), the user does not receive "Access denied" message when
clicking on "create link". If I go into access control, and remove
permissions for "devel" module, the user still continues to be able to
"create link". However, if as admin I delete the cache, run cron.php,
logout and log back in as user, the "Access denied" message returns.
It seems that if this is a cache problem, clearing the cache doesn't
appear to resolve it.
I really appreciate any insight. I've been working on cracking this for
8 months now. It's driving me nuts because there must be something
somewhere, either in user_access or node_access or some other hook
that's if I only knew I could correct the problem.
Thanks so much!
David Metzler wrote:
> Thinking about this maybe the problem is user_access, not the roles
> themselves. Check out the user_access function in user.module. Note
> that is uses a static variable caching mechanism, so it may have
> already determined the results of "user_access" before you've
> modified the roles. (It would need to in order to route the request
> and check access permissions).
>
> One way to check would be to call user_access immediately after you
> set the roles, and see if it gives you the proper result, (in your
> watchdog or debug files).
>
> The bad news is that I don't really know of a good way to solve this
> if that's the case. I'm afraid that we need a hook_user_access in
> core in order to implement this. Either that or an added parameter
> to force user_access to ignore the cache.
>
> Here's hoping I'm wrong :).
>
> Dave
>
>
> On May 21, 2007, at 3:39 PM, Ron Parker wrote:
>
>> Thanks so much for the reply. Here's what I tried in hook_init:
>>
>> function og_user_roles_init ()
>> {
>> global $user;
>> $roles = og_user_roles_all_roles($user); // This returns normal
>> $user->roles and includes OG roles if any
>> $user->roles = $roles;
>> $displayRoles = implode(",", $roles);
>> if ($user->uid) watchdog('og_user_roles', 'user roles = ' .
>> $displayRoles); // Show this in log if it hits.
>> }
>>
>> Here's what I tried in hook_user:
>>
>> // Add the group roles to $user->roles if this is a group
>> // This should only be effective until the next global $user call
>> if ($op == "load") {
>> $roles = og_user_roles_all_roles($user); // This returns
>> normal $user->roles and includes OG roles if any
>> $user->roles = $roles;
>> } // end $op load
>>
>> I looked at the watchdog and my own debug file, and the correct
>> roles are being returned each and every time.
>> My guess is that $user->roles is doing what it should, but there is
>> something else happening in the node/add
>> (http://www.mysite.com/ node/add/link?gids[]=29) process that
>> doesn't depend upon $user->roles that is causing the access denied
>> error.
>>
>> Again, any clues would be much appreciated.
>>
>> -ron
>>
>> David Metzler wrote:
>>
>>> I've run into similar problems with using user_load to alter
>>> user_data. User_load doesn't fire as often as you might think it
>>> does due to some caching strategies. To prove this, place a
>>> drupal_set_message call in your user_load trap and see when it
>>> fires. It may not be firing on the page where you're getting the
>>> access denied errors.
>>>
>>> To solve my problem I had to move user alteration into the init hook.
>>>
>>> It may be that there's core bug here, but I haven't yet tracked it
>>> down since the init hook solved my problem.
>>>
>>> I never did find out why user_load wasn't firing.
>>> On May 15, 2007, at 11:56 AM, Ron Parker wrote:
>>>
>>>> A few weeks back I floated my og user roles module idea on this
>>>> list as instructed by CVS Admin. This module (http://drupal.org/
>>>> node/87679) is designed to assign roles to OG group members that
>>>> are specific to the groups they are in. The problem was that I
>>>> had to patch the core user.module in order to get it to work.
>>>>
>>>> After a couple of suggestions, I decided to formulate a proposal
>>>> for a Drupal hook. What I thought made the most sense was either
>>>> a user_access hook or a $user->roles hook because what I wanted
>>>> to do was add roles to the site wide roles returned by $user-
>>>> >roles. user_access (which returns permissions allowed according
>>>> to roles) is called by node_access which is what determines
>>>> access on a node/ add.
>>>>
>>>> I recently proposed a $user->roles hook (http://drupal.org/node/
>>>> 143393), and someone pointed out that I could accomplish the same
>>>> thing by using the existing hook_user "load" operation. They
>>>> were right. I modified my module to add the appropriate roles to
>>>> the user object using hook_user "load" and in testing, it appears
>>>> that $user->roles now returns the OG group as well as the site
>>>> wide roles when a user is in a group.
>>>>
>>>> However, on a group node add, for example, http://www.mysite.com/
>>>> node/add/link?gids[]=29, my user gets an "Access denied" error.
>>>> I wrote a little debug program that writes out the values
>>>> returned by my hook_user "load" addition, and every time it's
>>>> called it returns the correct values.
>>>>
>>>> node_access would be the access control for a group node add. I
>>>> have examined the code closely, and this is the only code that
>>>> would be executed on a node "create":
>>>>
>>>> // Can't use node_invoke(), because the access hook takes the
>>>> $op parameter
>>>> // before the $node parameter.
>>>> $module = node_get_types('module', $node);
>>>> if ($module == 'node') {
>>>> $module = 'node_content'; // Avoid function name collisions.
>>>> }
>>>> $access = module_invoke($module, 'access', $op, $node);
>>>> if (!is_null($access)) {
>>>> return $access;
>>>> }
>>>>
>>>> This code would then call "node_content_access" (hook_access for
>>>> node), which would use "user_access" (thus calling global $user,
>>>> thus invoking my modification) to determine access.
>>>>
>>>> So, I'm at a complete loss as to why I would get an "Access
>>>> denied" error for a group role. I need some help!
>>>>
>>>> The only thing I have noticed which seems to give me a clue is
>>>> that when I load the "devel" module and give users access,
>>>> everything works. But, I can't figure out what the devel module
>>>> is doing that would cause this.
>>>>
>>>> Any hint, clue or anything would be appreciated. Thanks!
>>>>
>>>> -ron
>>>>
>>>> --
>>>> Ron Parker
>>>> Software Creations http://www.scbbs.com
>>>> Self-Administration Web Site http://saw.scbbs.com
>>>> SDSS Subscription Mgmt Service http://sdss.scbbs.com
>>>> Central Ave Dance Ensemble http://www.centralavedance.com
>>>> R & B Salsa http://www.randbsalsa.com
>>>>
>>>
>>>
>>> __________ NOD32 2277 (20070518) Information __________
>>>
>>> This message was checked by NOD32 antivirus system.
>>> http://www.eset.com
>>>
>>>
>>>
>>
>>
>> --
>> Ron Parker
>> Software Creations http://www.scbbs.com
>> Self-Administration Web Site http://saw.scbbs.com
>> SDSS Subscription Mgmt Service http://sdss.scbbs.com
>> Central Ave Dance Ensemble http://www.centralavedance.com
>> R & B Salsa http://www.randbsalsa.com
>>
>
>
> __________ NOD32 2285 (20070522) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
--
Ron Parker
Software Creations http://www.scbbs.com
Self-Administration Web Site http://saw.scbbs.com
SDSS Subscription Mgmt Service http://sdss.scbbs.com
Central Ave Dance Ensemble http://www.centralavedance.com
R & B Salsa http://www.randbsalsa.com
More information about the development
mailing list