Problem/Motivation

With the default Group permissions - that does not allow non-group members to access information about a Group, in other words, without granting "View published group" to outsiders - invited users cannot see/access the name of the Group that they were invited.

(Please see the attached screenshot.)

Steps to reproduce

Proposed resolution

Well, this could be a tricky one, but what we did on a downstream project (and probably that could be also implemented in this module) is:
1. We override the entity access handler of Group because it uses the default one that does not differentiate "view" vs. "view label" operation. See: https://github.com/drupal/core/blob/9.4.x/lib/Drupal/Core/Entity/EntityA...
2. In that custom access control handler - but after "view" and "view label" is considered a different operation this could be even implemented in a hook_ENTITY_TYPE_access() for group entity type - we added a small glue code that grants "view label" access to a user if it has a pending invitation to a group.
3. ...and FTR, we also had to patch Drupal core's EntityReferenceLabelFormatter because after that it incorrectly started to render links instead of plain text Group titles: See https://www.drupal.org/project/drupal/issues/3293287.

Remaining tasks

User interface changes

API changes

Data model changes

CommentFileSizeAuthor
ginvite_bug1.png23.22 KBmxr576

Comments

mxr576 created an issue. See original summary.

mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented
Related issues: +#3042392: EntityReferenceLabelFormatter generates links in wrong language
mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented
Issue summary: View changes
Related issues: -#3042392: EntityReferenceLabelFormatter generates links in wrong language +#3293287: EntityReferenceLabelFormatter returns a link even if the user only have "view label" access
lobsterr’s picture

lobsterr commented

I think, it is ok to allow users to view a group, if we have invitation to it.

  • LOBsTerr committed 0aa28234 on 2.x 
    Issue #3293317 by LOBsTerr: Users cannot see the name of the Group that...

  • LOBsTerr committed 14ff4e95 on 3.0.x 
    Issue #3293317 by LOBsTerr: Users cannot see the name of the Group that...

  • LOBsTerr committed a5d6651e on 4.0.x 
    Issue #3293317 by LOBsTerr: Users cannot see the name of the Group that...
lobsterr’s picture

lobsterr commented
Status: Active » Fixed
mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented

Since there is no tagged stable release with these changes, let me discuss it publicly here: I wonder if not bubbling up cacheability information from those invites that granted view/view label access to group could lead to information disclosure vulnerability when an invitation is deleted/revoked.

lobsterr’s picture

lobsterr commented

ok, I will handle this case in a separate ticket

mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented

and that ticket is #3391591: Add cache tags for invitations, when we allow to see a group

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.