Drupal Gotcha: Watch out for $user during update.php

If you disable access-checking on your update.php, there’s no guarantee that the update script will be run with the superuser as the active user. This could mess up your update functions that delete nodes or use other access permissions.

To fix this, temporarily assume the identity of the superuser in the update functions that need it:

global $user;
$old_user = $user;
$user = user_load(array('uid' => 1));
$session = session_save_session();
session_save_session(FALSE);

and then restore the old user afterwards:

$user = $old_user;
session_save_session($session);

4 responses to “Drupal Gotcha: Watch out for $user during update.php”

  1. Rob Loach says:

    Hey Sacha. I really loved your DrupalCon presentation!!!……… Considering this blog post, I think you’ll enjoy this Drupal.org issue:
    http://drupal.org/node/67234

  2. RTFVerterra says:

    I am not sure if this is connected to your post, but I don’t understand why Drupal was designed in such a way that user 1 can be deleted by another user with “user admin” privilege. I’ve been to this trouble, fortunately, its a dev site. Reinstall was my ultimate solution.

  3. Sacha Chua says:

    Might be time to hack core? ;)

    You could also access the database directly and change your user’s UID to 1, if that works…

  4. RTFVerterra says:

    I am not comfortable in dealing with database tables. I am not a developer, my experiences with Drupal are mostly achieved by trial and error approach. I can navigate through mySQL tables, but I never attempt to touch any record. Though I understand now the codes in page.tpl.php, my codes are all copy-pasted. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>