Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In my use case, group non-members may need to modify a group content type (but not bypass all node permissions). At the moment, og is restricting node access permissions to only those who are members.
If a user has access to edit or delete any content of a content type, then that permission should be respected.
Comments
Comment #1
amitaibu> At the moment, og is restricting node access permissions to only those who are members.
That's not correct, see:
hook_node_access() deals only with OG's permissions. The "core" permissions are already handled via node module.
Comment #2
mradcliffe> That's not correct, see:
Yes, it is correct. Og is specifically telling to deny access if
og_user_access($gid, etc...
does not pass. See screenshots after explanation below:Edit: it would have been better if i posted more information earlier, sorry.
Comment #3
mradcliffeI'm going to write a test case to check things.
Comment #4
mradcliffeOkay, here's a test case that shows the issue. I did not make it a patch but a separate test file so you need to add it to og.info.
Comment #5
amitaibuOk, now I understand :)
I think this isn't a bug, but a feature, as one might want OG to take full control (actually up until now, there was no issue like yours, so I assume most people want it this way).
So I think our appraoch should be in og_node_access:
Instead of
$return = NODE_ACCESS_DENY;
we should have a variable:$return = variable_get('og_node_access_strict', TRUE) ? NODE_ACCESS_DENY : NODE_ACCESS_IGNORE;
And in OG-UI add this setting. Of course a simpleTest will make sure it will be committed ;)
Comment #6
mradcliffeCool. That sounds good to me. I'll try to get a patch to you, with tests, early next week. :-)
Comment #7
mradcliffeOkay, I added the variable in og_ui's admin settings, added to the array of variable to remove in og_uninstall(), and modified og_node_access().
Also wrote some tests. I did not add to testOgAccess method, but added my own OgNodeAccess class in og.test (two test methods). I did not include tests for a group member editing content because it depends on og_access, and I am not sure if that should be in og_access or not. If you want, I can add to the test or refactor and put it all in testOgAccess.
Comment #8
amitaibuThanks!
Lets add comment why we have this variable -- i.e. OG full control VS allowing others to also decide.
Minor: Remove white space.
Missing dot in the end (other comments as-well).
Isn't $this->drupalCreateUser() enough?
Please break this long line.
Add PHPdocs.
We don't need this, as we don't deal with node access records.
Use $this->assertResponse()
I don't think you need to logout, before login -- doesn't it happen by itself? not sure.
No need to logout, in the end of the test :)
Maybe better: Strict node access permissions
Maybe: When enabled OG takes full control over node access and if no access found based on OG access is denied. If disabled access will not be explicitly denied.
Comment #9
amitaibuThanks!
Lets add comment why we have this variable -- i.e. OG full control VS allowing others to also decide.
Minor: Remove white space.
Missing dot in the end (other comments as-well).
Isn't $this->drupalCreateUser() enough?
Please break this long line.
Add PHPdocs.
We don't need this, as we don't deal with node access records.
Use $this->assertResponse()
I don't think you need to logout, before login -- doesn't it happen by itself? not sure.
No need to logout, in the end of the test :)
Maybe better: Strict node access permissions
Maybe: When enabled OG takes full control over node access and if no access found based on OG access is denied. If disabled access will not be explicitly denied.
Comment #10
mradcliffeWhoops, I also forgot to run through other og tests, which caught another big bug. I have attached two patches to address that and the issues above, but this should not be considered ready. I found a case where the solution doesn't fit correctly. :(
In my use case, a user would not have access to the group audience field via field_permissions. However this is not default behavior. If a user does have access to it, but is not in the group and can edit group content, then we run into this issue where they do not see any groups in the group field. There is a warning on node save, but it maintains the group.
I could see the following situations although I think that the second and third one fall under the same case (maybe not):
Is default behavior for a non-member to be able to see potential groups? If that is true, then I just need to allow that in a patch.
Another question: I have some commits to my local development branch. Should I create a new branch and just grab the overall code and commit that, then format a new patch. Or do you want to see all of this history, Amitaibu? Thanks.
Comment #11
amitaibu> Should I create a new branch and just grab the overall code and commit that, then format a new patch
Yes please:
git diff 7.x-1.x my-branch > patch-fie.patch
Comment #12
mradcliffeOkay, new patch.
After thinking about it, I don't think Og should make any assumptions on whether a user with edit should be able to see all groups or not. I added an extra conditional wrapper in the validate function, but that's it. Tests pass.
Comment #13
amitaibuWhy is this needed? This validation callback is called from OG-audience widget, so for sure the field is there. + it's not related to the issue ;)
Maybe better: Determine if OG should explicitly deny access.
No need for this assert.
Why do we need this part?
I have just committed this , which will allow to make og_node_access() shorter, something along this lines (untested):
Comment #14
mradcliffeIf I have permission to edit the node, but I am not in a group, I received a warning about it being undefined after I clicked save. No data loss.
I will rework the patch based on the og_node_access changes.
Comment #15
mradcliffeOkay, I have re-rolled the patch to try to integrate og_node_access changes.
I did find a failing test with og_field_access, but that seems to be a general issue with "update body field" without "update type content" permission in og_permissions.
Should a user who can update a field be able to update the node as well? I don't use og_field_access myself so I am not sure about the correct behavior.
Edit: I switched to git diff for some reason this time.
Comment #16
amitaibu> Should a user who can update a field be able to update the node as well?
No. But it seems that the failing test is "catching" a bug (as it passes without the test). Note that it fails in giving access to node-edit.
Comment #17
amitaibuOh, I see where it fails. We have the "update group" permissions defined in OG, but we don't explicitly check for it in the hook_node_access().
Comment #18
amitaibu^^ It's good that we have tests ;)
Comment #19
amitaibuAttach the patch the solves #17. Still reviewing...
Comment #20
amitaibuCleaned a bit more, and committed. Thank you mradcliffe!