og_get_default_roles() function comment indicates that it returns an array of roles keyed by their declaring module. However, it returns an array of roles with *arbitrary* keys.

The default og_get_default_permissions() (and og_roles_overrides()) appear to use arbitrary values as returned by og_get_default_roles(). This will break permissions inheritance when another module is installed after og has been in use. If the new module implements hook_og_default_roles and sets a weight less than og, or is alphabetically before og the "rids" returned by og_get_default_roles() will shift. The keys currently returned by og_get_default_roles() should not be used as rids as the values are arbitrary. If this new module is enabled and disabled the rid => role mapping will shift again resulting in og_roles_override behaving buggy and problematic default role permission inheritance.

This appears to have broken in #1547014: Remove Global permissions.

The previous function declaration of returning keyed by module name was very valuable for the work in #1349754: features integration for organic groups permissions and roles. However if that is not useful elsewhere the features work can implement the necessary code.

CommentFileSizeAuthor
#2 og-1616950-2.patch3.55 KBjgraham
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
CreditAttribution: amitaibu commented

@jgraham, are you gonna work on this? :)

jgraham’s picture

jgraham CreditAttribution: jgraham commented
Status: Active » Needs review
FileSize
og-1616950-2.patch3.55 KB
  1. reworked og_default_roles() to be keyed by implementing module and then the roles
  2. removed $include parameter for og_default_roles() didn't appear to be used anywhere
  3. Fixed several typos in comments as well as reworking comments as necessary.
  4. Reworked og_default_permissions() to build around new structure in og_default_roles() returned array and to use the role names as the key rather than the arbitrary role index
  5. Reworked og_roles_override() to reflect new output of og_default_permissions(). We use og_default_permissions as the generator for the roles so that we have a flattened array rather than the multidimensional array from og_default_roles().
  6. Adjusted the db_update() call in og_roles_override to explicilty only be called if we are overriding roles for a group instance. I think it was safe before, but running this when not overriding on a specific group instance doesn't make sense.

I think that summarizes the changes.

Status: Needs review » Needs work

The last submitted patch, og-1616950-2.patch, failed testing.

jgraham’s picture

jgraham CreditAttribution: jgraham commented
Priority: Major » Normal

Adjusting severity. It looks like the potentially dangerous code was entirely non-functional. The db_update query was querying rid on string values which would have matched zero rows on the integer valued rids stored in the database. So no permission assignments would have "role-hopped" as I previously surmised.

Just need time to review the tests and see why they failed and if they need some updates.

jgraham’s picture

jgraham CreditAttribution: jgraham commented
Category: bug » feature
Status: Needs work » Closed (won't fix)

Closing this out as "won't fix" since I think #1349754: features integration for organic groups permissions and roles is the only code that would benefit from this rewrite, and adjusting status to "feature request" as it may not be a bug as indicated in comment 4.

jgraham’s picture

jgraham CreditAttribution: jgraham commented
Issue summary: View changes

fixed issue link for #1547014: Remove Global permissions