From 0d4baee0646e64120ab8e4bfd6f2cd7be7541044 Mon Sep 17 00:00:00 2001 From: Matthew Radcliffe Date: Mon, 24 Oct 2011 16:15:55 -0400 Subject: [PATCH 2/3] [#1317164] by mradcliffe. Changes to previous commit for #1317164. There was one bug in og.module that I introduced, now fixed. Also, corrected formatting issues. --- og.module | 5 +++- og.test | 64 ++++++++++++++++++++---------------------------- og_ui/og_ui.admin.inc | 4 +- 3 files changed, 33 insertions(+), 40 deletions(-) diff --git a/og.module b/og.module index 132a53d..ecb4819 100644 --- a/og.module +++ b/og.module @@ -425,10 +425,13 @@ function og_og_default_roles() { function og_node_access($node, $op, $account) { // If not a group type or the operation is node creation which still has no // groups so we can't check it yet, we ignore the access. - $return = variable_get('og_node_access_strict', TRUE) ? NODE_ACCESS_DENY : NODE_ACCESS_IGNORE; + $return = NODE_ACCESS_IGNORE; $type = is_string($node) ? $node : (is_array($node) ? $node['type'] : $node->type); if (in_array($op, array('update', 'delete'))) { + // og_node_access_strict will take full control of node access when true + // while it will pass through access to other modules when false. + $return = variable_get('og_node_access_strict', TRUE) ? NODE_ACCESS_DENY : NODE_ACCESS_IGNORE; if (og_is_group_type('node', $type) && $group = og_get_group('node', $node->nid)) { // The node is a group. if (og_user_access($group->gid, $op . ' group', $account)) { diff --git a/og.test b/og.test index f13507a..992929e 100644 --- a/og.test +++ b/og.test @@ -329,7 +329,7 @@ class OgGroupApi extends DrupalWebTestCase { * Test Group node access. This will test nodes that are groups and group content. */ class OgNodeAccess extends DrupalWebTestCase { - + public static function getInfo() { return array( 'name' => 'Organic groups node access', @@ -348,80 +348,70 @@ class OgNodeAccess extends DrupalWebTestCase { // Add OG audience field to the node's "article" bundle. og_create_field(OG_AUDIENCE_FIELD, 'node', 'article'); - // Create some users - $this->admin_user = $this->drupalCreateUser(array('bypass node access', 'administer site configuration', 'access administration pages', 'administer group')); - $this->editor_user = $this->drupalCreateUser(array('access content', 'edit any page content', 'edit any article content')); - $this->group_manager = $this->drupalCreateUser(array('access content')); - $this->member = $this->drupalCreateUser(array('access content')); + // Create an editor user and a group manager for these tests. + $this->editor_user = $this->drupalCreateUser(array('access content', 'create page content', 'edit any page content', 'edit any article content')); + $this->group_manager = $this->drupalCreateUser(); - // Create group node - $settings = array('type' => 'page', OG_GROUP_FIELD . '[und][0][value]' => 1, 'uid' => $this->group_manager->uid); + // Create group node. + $settings = array( + 'type' => 'page', + OG_GROUP_FIELD . '[und][0][value]' => 1, + 'uid' => $this->group_manager->uid + ); $this->group_node = $this->drupalCreateNode($settings); $this->group = og_get_group('node', $this->group_node->nid); - // Create node for group + // Create node for group. $settings = array('type' => 'article'); $this->group_content = $this->drupalCreateNode($settings); } + /** + * Test strict access permissions for updating group node. A non-member of + * a group who has core node access update permission is denied access. + */ function testStrictAccess() { // Set Node Access Strict variable. variable_set('og_node_access_strict', TRUE); - // Rebuild content access perms., and set group perms. - $this->drupalLogin($this->admin_user); - $this->drupalPost('admin/reports/status/rebuild', array(), t('Rebuild permissions')); - $this->drupalGet('node/' . $this->group_node->nid); - $this->drupalLogout(); - // Login as editor and try to change the group node and group content. $this->drupalLogin($this->editor_user); $this->drupalGet('node/' . $this->group_node->nid . '/edit'); - $this->assertRaw('Access denied', t('A non-member with core node access permissions was denied access to edit group node.')); + $this->assertResponse('403', t('A non-member with core node access permissions was denied access to edit group node.')); $this->drupalGet('node/' . $this->group_content->nid . '/edit'); - $this->assertRaw('Access denied', t('A non-member with core node access permissions was denied access to edit group content node.')); - - $this->drupalLogout(); + $this->assertResponse('403', t('A non-member with core node access permissions was denied access to edit group content node.')); - // Login as a group manager and try to change group node.. + // Login as a group manager and try to change group node. $this->drupalLogin($this->group_manager); $this->drupalGet('node/' . $this->group_node->nid . '/edit'); - $this->assertNoRaw('Access denied', t('Group manager allowed to access group node.')); - - $this->drupalLogout(); + $this->assertResponse('200', t('Group manager allowed to access group node.')); } + /** + * Test non-strict access permissions for updating group node. A non-member + * of a group who has core node access update permission is allowed access. + */ function testNoStrictAccess() { // Set Node Access Strict variable. variable_set('og_node_access_strict', FALSE); - // Rebuild content access perms., set group perms., and set og_node_access_strict variable - $this->drupalLogin($this->admin_user); - $this->drupalPost('admin/reports/status/rebuild', array(), t('Rebuild permissions')); - $this->drupalGet('node/' . $this->group_node->nid); - $this->drupalLogout(); - // Login as editor and try to change the group node and group content. $this->drupalLogin($this->editor_user); $this->drupalGet('node/' . $this->group_node->nid . '/edit'); - $this->assertNoRaw('Access denied', t('A non-member with core node access permissions was not denied access.')); + $this->assertResponse('200', t('A non-member with core node access permissions was not denied access.')); $this->drupalGet('node/' . $this->group_content->nid . '/edit'); - $this->assertNoRaw('Access denied', t('A non-member with core node access permissions was not denied access to edit group content node.')); + $this->assertResponse('200', t('A non-member with core node access permissions was not denied access to edit group content node.')); - $this->drupalLogout(); - - // Login as a group manager and try to change group node.. + // Login as a group manager and try to change group node. $this->drupalLogin($this->group_manager); $this->drupalGet('node/' . $this->group_node->nid . '/edit'); - $this->assertNoRaw('Access denied', t('Group manager allowed to access group node.')); - - $this->drupalLogout(); + $this->assertResponse('200', t('Group manager allowed to access group node.')); } } diff --git a/og_ui/og_ui.admin.inc b/og_ui/og_ui.admin.inc index 5747fab..1e16b6e 100644 --- a/og_ui/og_ui.admin.inc +++ b/og_ui/og_ui.admin.inc @@ -21,8 +21,8 @@ function og_ui_user_admin_settings($form_state) { $form['og_node_access_strict'] = array( '#type' => 'checkbox', - '#title' => t('Strict group node access permissions'), - '#description' => t('When enabled group node access permissions will supercede core node access permissions such as update and delete.'), + '#title' => t('Strict node access permissions'), + '#description' => t('When enabled Organic groups will take full control of node access permission, and will deny access based on Organic groups access. Example: A content editor with the Edit any page content permission who is not a member of a group would be denied access to modifying page content in that group.'), '#default_value' => variable_get('og_node_access_strict', TRUE), ); -- 1.7.6