External application is redirected to frontpage in maintenance mode

The Needs Review Queue Bot → tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.

The reason is described as "If the site is offline, log out unprivileged users." but I still can't understand why we should force the logout for all users, instead of just showing the "Site is offline" message on the blank page?

Imagine, you use public computer, and the site occasionally goes in maintenance. You need go away soon, but you have no ability to log out. As a rule typical user have no skills to clean up cookies, use guest mode in public computers, etc. In this way the next user would see your account, and could get you PI data or compromise you on this site, delete account, etc.

The issue could be solved providing access to "Log Out" action in maintenance too, but looks like that Drupal just uses force-logout.

10.x patch should work for 11 branch too.

Have to agree, not sure the redirect is needed so the change LGTM.

The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.

Hello,

I faced this problem today.
We have routes that are called in ajax, some of them are called every 20 seconds on some lesson page in order to save the time spent by the student on the lesson.
In the middle of a deployment procedure, with the site under maintenance, an error was caused by this ajax route when it shouldn't have. Because there is no way the code of this ajax route could possibly cause this specific error.

After debugging I discovered that the first time the ajax route is called, when the student is still authenticated, the homepage was returned in HTML by the ajax call. Any call after that would return a nice 503 service unavailable response. So it was the building of the homepage that was responsible for that error when calling the ajax route the first time.

I debugged a little further and discovered the MaintenanceModeSubscriber.php of the user module that forces the log out and forces the redirect to the homepage.

I am happy to discover that this issue exists, but I'm skeptical to see that no final decision could be made so far :/
Personally I also believe that this redirect to the front page should not be made, and that displaying the maintenance page is enough and better.
Even though I understand the point of "a user on a public computer that could not log out...", I also find it very frustrating to all our students that they get logged out every time we put the site under maintenance mode. So I would be in favor not to log them out anymore.

I actually think this could be introduced as a config checkbox on the maintenance mode page : "automatically log out unprivileged users who try to access the site while in maintenance mode" (can be safer for users who logged in on a public computer and cannot log out while site is in maintenance)
In the mean time, I think I'm going to try the patch that gets rid of the forced log out and the forced redirect to front page.

Nicolas

Review the patch, created MR with respective changes. Please review, moving to NR

Thank you the patch applies cleanly on Drupal 10.3.2 and fixes the problem of the HTML of the front page being sent in response of the ajax call when the user is logged out. Now we immediately have the simple 503 service unavailable error which is what we want.

I don't think the redirect was added in #1998228: Remove hook_menu_site_status_alter() in favor of request listeners → , it was moved in that issue. As far as I can tell the original redirect was added in #363580: OpenID login fails when in maintenance mode → . However this has been moved around so much since then, and changed from what it used to do, that I agree it doesn't make any sense any more.

The one situation I can see is that say you are on /user or /some/admin/path and you get logged out by maintenance mode, if you refresh the page you'll get a 403 and you might not know why. But equally, you might not know why you got redirected to the front page either.

Committed/pushed to 11.x and backported back through to 10.3.x, thanks!

I agree with not removing the user logout due to the public computer issue in this change because it's not necessary to fix the bug - however I think we could open a follow-up to discuss the pros/cons of removing the logout. The public computer issue is very unlikely (and any networking or site issue that's not maintenance mode could result in someone not being able to log out at a precise moment), but people being logged out in the middle of something and losing progress is not.

catch → closed merge request !9343

Automatically closed - issue fixed for 2 weeks with no activity.