I would have assumed that only group admins are able to create and administer their group vocabularies. However current permission (as implemented in function og_vocab_determine_access) allows any group members to have access to the group vocabs with proper permissions turned on.

I feel like I am missing something; there must be a way to allow access to group vocabs only by the group admins, right? Can I do it without hacking the access function?

CommentFileSizeAuthor
#5 og_vocab_solution.zip1 KBmraj_28

Comments

gensuperman’s picture

gensuperman commented

I was about to make the same post... glad to see that this post is here.... "What was this module author thinking?"

I mean this module currently allows any regular individual (NON ADMIN) to be able to add/edit and delete any og vocab/og term per any OG Group that they are a member of...

This module even allows regular (NON ADMIN) individuals to edit existing OG Vocab/OG Terms created by the original OG Group Admin... What kind of crap is that?

I was thinking that the module would only allow "Group Admins" per each OG Group, to be the only ones able to edit/delete/add or remove OG Vocab/OG Terms. Especially, their own created OG VOCAB/OG Terms... But, nope.

Even with all the permissions turned off for this feature in permission settings area, the OG Admin for that group is then not even allowed to be able to create/delete/add OG Vocab/OG Terms for that group.

I can understand allowing Group (NON Admins) the ability to create their own OG Vocab/OG Terms for their joined group, thats fine, but for some reason there is most likely a bug in this module that allows individuals that are a member of an OG Group to edit "ANY" and "ALL" OG VOCABS/OG TERMS, even the ones created by the OG Group Admin for that Group.

I am changing the Priority to "CRITICAL", this is sort of a security risk at this point. If people don't know what their doing, their entire OG Groups Taxonomies could be all screwed up by users with malicious intent, especially for "PUBLIC" OG Groups.

User BEWARE!

I am sooooooo frustrated.

gensuperman’s picture

gensuperman commented
Priority: Normal » Critical
amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented

I'll have time to adrress it only after Drupalcon.

@gensuperman, if you are so frustrated, you can provide a patch ;)

gensuperman’s picture

gensuperman commented

I also tried the 6.x-1.0-rc1 2009-Jan-27 version of OG Vocabulary and the issue is also present there in that module as well as the 6.x-1.x-dev 2009-May-18 version of the OG Vocab.

I am more of a tester, although I also do some coding, my coding is for smaller issues.

This issue seems to be something that is quite large/critical in this module. I am hopeful that someone will come with a fix soon, as this is a very important module to some.

mraj_28’s picture

mraj_28 commented
StatusFileSize
new og_vocab_solution.zip1 KB

Hi,

I have the same problem and I worked on it for almost a day and I think I solved it.

I solved it by changing a single line of code in og_vocab module.

In the og_vocab module we have a function "og_vocab_determine_access($node, $perm)" which determines access to the taxonomy for og groups. In that function it returns the following.

"return og_is_group_type($node->type) && og_is_group_member($node->nid) && (user_access($perm) || user_access('administer organic groups'));"

If you check the above function you can understand that it is looking for member of the group "og_is_group_member". As I don't want the group member to change the taxonomy for a particular group (but the group admin should have access to it) I changed it to "og_is_group_admin". But the parameter for that function should be node and not the node id. So the function I changed "og_is_group_member($node->nid)" to "og_is_group_admin($node)". Even if we want the members of the group to be able to change the taxonomy the function should be "og_is_group_member($node)" and not "og_is_group_member($node->nid)". Authors of this module, please take care of it.

So the function

"function og_vocab_determine_access($node, $perm) {
return og_is_group_type($node->type) && og_is_group_member($node->nid) && (user_access($perm) || user_access('administer organic groups'));
}"

is changed to

"function og_vocab_determine_access($node, $perm) {
return og_is_group_type($node->type) && og_is_group_admin($node) && (user_access($perm) || user_access('administer organic groups'));
}"

Also all the permissions for og_vocab should be set.

Hello gensuperman, I have tested it and it is working fine for me. Please test it for yourself and let us know it there is anything wrong with what I have changed.

Authors of this module, thank you very much for providing us with such an excellent module.

I don't know if the functions are posted correctly so I am attaching a word doc. Please check the word doc., if you don't see the functions correctly.

Thank you.

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented

@mraj_28,
thanks for working on this. please provide a patch as instructed here - http://drupal.org/patch/create

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented
Priority: Critical » Normal
Status: Active » Fixed

Fixed, please check.

Logic is now:

  // Group admin should have access regardless of permissions.
  // Otherwise check the user is a member with the right permissions.
  return (og_is_group_type($node->type) && (og_is_group_admin($node) || (og_is_group_member($node->nid) && (user_access($perm) || user_access('administer organic groups')))));

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.