Lazy sessions and authorization (Drupal)

Cantor, Scott cantor.2 at
Mon Nov 4 11:08:41 EST 2013

On 11/4/13, 10:44 AM, "Laas Toom" <Laas.Toom at> wrote:
>I tried the ŒOR NOT valid-user¹ scheme and it did not work.
>The OR NOT valid-user scheme denied access outright to the second group,
>while allowing both 1 and 3 groups.

I see why that wouldn't work.

But I don't understand the point of the second group. If you're
authenticated but not authorized, then by definition you either have to
let them in or not. If you do, then your policy makes no sense, they *are*
authorized. So why have the policy at all?

You're saying you want to let everybody in, so just let everybody in. I
really don't get what you're after, and that alone is why I would never
consider changing behavior or making things more complex.

I thought what you wanted was to allow 1 and 3 in, and it sounds like that
worked. That's all I can see ever working.

Saying "ignore unauthorized session" is the same as not having the authz
rule there.

-- Scott

More information about the users mailing list