[development] global $user unavaialable?

David Metzler metzlerd at metzlerd.com
Mon Mar 23 17:39:51 UTC 2009

Thanks for pointing out the obvious flaw in my reasoning.  I really  
needed it. (Not sarcasm).  You got me going enough to put my  
debugging on track.

The Session was new because of the difference between navigating to  
http:  vs. navigating to https:  I'd originally logged in to the  
drupal 6  via http, but then the drupal 5 site redirected to https  
url of the site.  Drupal doesn't seem to detect the user as logged  
in.  Oddly enough, only if redirected there from another drupal  
site??? I can't reproduce this behavior when I just navigate to  
different sites with the browser.

Once my module detects that there's no logged in user, it redirects  
to user/login, which presents a login page.  When the user presses  
the submit button on this page, they get an access denied because  
drupal finally detects that the user is already logged in.  I'm a bit  
puzzled as to why it didn't detect this at the inital redirect, and  
really puzzled about the difference in behavior between a redirect,  
and if I just type in the url directly.

Given that this is third party soffware doing the redirect from  
drupal 5, I'm not sure whether this is a bug or not.  I can work  
around the problem by instructing users to change their $base_url on  
the cas server site to make sure that it's always https, or implement  
secure_pages or something like that.

Does anyone with more knowledge of drupal session handling have any  
idea as to why drupal would detect the currently logged in user  
incorrectly when being redirected, but not when typing the url into  
the browser?

On Mar 20, 2009, at 11:30 AM, Moshe Weitzman wrote:

> that snippit tests if the user is logged in, not if $user is
> populated. you could have a full anonymous $user object.
> the basic loading of a $user gets triggerred by session_start() but if
> you have to call that on your own you are way off the beaten path in
> Drupal and really need to grok whats happenning step by step in order
> to assure security and code sanity. that gives a basic $user object.
> If you need it call, you might have to call user_load() yourself.
> On Fri, Mar 20, 2009 at 2:02 PM, David Metzler  
> <metzlerd at metzlerd.com> wrote:
>> I'm working on implementing a new cas_server module that allows  
>> drupal
>> accounts to be used as a single - sign on source.  I have a drupal  
>> 5 site
>> issues a redirect to a drupal 6 site, and when I redirect to that  
>> page I
>> don't find that the $user global is populated.  Is there some  
>> function or
>> include that I should b calling to make sure that this data is there?
>> Code snippet that isn't returning correct data.
>> global $user
>> if ($user->uid) {
>>  drupal_set_message('user logged in');
>> }
>> else {
>>  drupal_set_message('User not logged in');
>> }
>> Note that if I click on any other link in the drupal page.  I show  
>> as being
>> logged in, but the redirect to this page does not load the $user  
>> variable.
>> Developing against drupal 6.10

More information about the development mailing list