shib_auth-content-access-dynamic-roles-issue-2129387-X.patch

From 30a31eae993d24aa5e4887e6ae8a0dab026f5c5d Mon Sep 17 00:00:00 2001
From: Dan Braghis <zerolab@354424.no-reply.drupal.org>
Date: Mon, 20 Apr 2015 09:14:37 +0100
Subject: [PATCH] Fix content access issues on first login

---
 shib_auth.module | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/shib_auth.module b/shib_auth.module
index 0c6936a..e4d8694 100644
--- a/shib_auth.module
+++ b/shib_auth.module
@@ -659,14 +659,29 @@ function shib_auth_consent_update($uname, $umail_single, $uid) {
  * Assign roles to the user's session
  */
 function shib_auth_role_assignment() {
-  //generate role cache if it doesn't exists
-  shib_auth_generate_rolenames(FALSE);
-  if (shib_auth_session_valid() && !user_is_anonymous() && empty($_SESSION['shib_auth_account_linking'])) {
+  if (shib_auth_session_valid() && !user_is_anonymous()
+      && empty($_SESSION['shib_auth_account_linking'])) {
+    // Generate role cache if it doesn't exist
+    shib_auth_generate_rolenames(FALSE);
+
     shib_auth_assignroles();
   }
 }

 /**
+ * Implements hook_custom_theme().
+ *
+ * Assign roles before hook_init() as node_access() gets called before it.
+ * This allows SSO accounts with non-sticky roles to access content restricted
+ * to certain roles via modules like Content Access.
+ *
+ * @see https://www.drupal.org/node/553944#comment-3518440 for background.
+ */
+function shib_auth_custom_theme() {
+  shib_auth_role_assignment();
+}
+
+/**
  * Create a new user based on informations from the Shibboleth handler if it's necessary or log in.
  *
  * If already authenticated - do nothing
2.3.0