Contrib.social

Roles being stripped from users when saved

Open on Drupal.org β†’
Created on 11 February 2022, over 2 years ago
Updated 12 September 2024, about 2 months ago

Problem/Motivation

Since updating to the most recent release, users are losing applied roles when edited by user 1 or likely any user with "administer roles" privileges.

It's something to do with role_delegation_user_presave in the module file. I'm still investigating.

Steps to reproduce

  1. Log in as user 1
  2. Edit any user
  3. Give them a role if they didn't have one already
  4. Save

Expected behaviour: user now has the roles that were ticked on the user edit form after saving.

Current behaviour: user has no roles after saving.

Proposed resolution

Skip the user_presave function if the editing user can edit roles without this module.

Remaining tasks

  • test
  • review
  • commit

User interface changes

None

API changes

None

Data model changes

None

πŸ› Bug report
Status

Closed: duplicate

Version

1.0

Component

Code

Created by

πŸ‡¦πŸ‡ΊAustralia darvanen Sydney, Australia

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡©πŸ‡ͺGermany Anybody Porta Westfalica

    Unexpected role changes are a major issue, especially if you do not notice this change. Updating priority.

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States bpizzillo

    I am going to jump on the me too boat here, but mine might be a different use case. We are actually seeing any users with the `assign XXX role` permission lose all their roles upon logging in. We do have simplesamlphp_auth, which I believe saves the user on each login.

    The only odd thing is, about a year+ ago when we first updated the module, we found if we cleared the cache and regranted users the deleted roles they would keep them for a period of time until they got removed again. We were updating to 9.4 and bumped all modules and could not reproduce in dev, so we only updated what was needed. We found that we needed a certain amount of user traffic logging in before it would remove the roles. I assumed it might have been a memcache issue or something in Simplesamlphp_auth.

  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡¦Ukraine nnevill Lutsk
  • First commit to issue fork.
  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom scott_euser

    Hmm actually neither of these work properly it seems:

    • Patch in #12 does not actually allow any changes to be made as it just re-pulls the roles from the user entity ignoring any form submission
    • MR 3263782-roles-being-stripped does not consider cases where there are multiple form modes, so if a form mode for the user does not contain the role field, yet the user has access to the role delegation permission, it removes the roles

    So I created 3263782-roles-being-stripped-request-check which just adds a check that the current presave is triggered by a form that has the role change in the request. If it is missing, the change to roles is skipped and roles are left as is. The checks for what roles the user is allowed to change are untouched.

  • Merge request !15Roles being stripped from users when saved β†’ (Open) created by scott_euser
  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom scott_euser

    scott_euser β†’ changed the visibility of the branch 3263782-roles-being-stripped to hidden.

  • Status changed to Needs review 3 months ago
  • Comment 3 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom scott_euser

    Hid the other two for now, but feel free to unhide if you disagree. Setting to NR

  • Comment about 2 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia acbramley

    Can this and πŸ› Roles being stripped from users when saved if user has no access to roles field Needs work be combined? They look like duplicate issues.

  • Status changed to Closed: duplicate about 2 months ago
  • Comment about 2 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom scott_euser

    Aha good spot, yep duplicate

  • Comment about 2 months ago β†’
    πŸ‡¦πŸ‡ΊAustralia acbramley

    Thanks! I think the solution over there is a little cleaner too.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024