og_get_default_roles() function comment indicates that it returns an array of roles keyed by their declaring module. However, it returns an array of roles with *arbitrary* keys.
The default og_get_default_permissions() (and og_roles_overrides()) appear to use arbitrary values as returned by og_get_default_roles(). This will break permissions inheritance when another module is installed after og has been in use. If the new module implements hook_og_default_roles and sets a weight less than og, or is alphabetically before og the "rids" returned by og_get_default_roles() will shift. The keys currently returned by og_get_default_roles() should not be used as rids as the values are arbitrary. If this new module is enabled and disabled the rid => role mapping will shift again resulting in og_roles_override behaving buggy and problematic default role permission inheritance.
This appears to have broken in #1547014: Remove Global permissions.
The previous function declaration of returning keyed by module name was very valuable for the work in #1349754: features integration for organic groups permissions and roles. However if that is not useful elsewhere the features work can implement the necessary code.
Comment | File | Size | Author |
---|---|---|---|
#2 | og-1616950-2.patch | 3.55 KB | jgraham |
Comments
Comment #1
amitaibu@jgraham, are you gonna work on this? :)
Comment #2
jgraham CreditAttribution: jgraham commentedI think that summarizes the changes.
Comment #4
jgraham CreditAttribution: jgraham commentedAdjusting severity. It looks like the potentially dangerous code was entirely non-functional. The db_update query was querying rid on string values which would have matched zero rows on the integer valued rids stored in the database. So no permission assignments would have "role-hopped" as I previously surmised.
Just need time to review the tests and see why they failed and if they need some updates.
Comment #5
jgraham CreditAttribution: jgraham commentedClosing this out as "won't fix" since I think #1349754: features integration for organic groups permissions and roles is the only code that would benefit from this rewrite, and adjusting status to "feature request" as it may not be a bug as indicated in comment 4.
Comment #5.0
jgraham CreditAttribution: jgraham commentedfixed issue link for #1547014: Remove Global permissions