Users with 'update own <type> content' but without 'create <type> content' are allowed to create content (OgSelectionHandler) [#1797088]

To Reproduce

Login as user that has OG permission 'update own page content' but lacks 'create page content' in a group. Go to create page form. Said group is listed in group audience field. Select that group, fill out the form, and create page content.

Expected behavior

Said group will not be listed in group audience field and creation of page in group will not be allowed.

Reason + patch

The access check added in #1541672: Don't check "create" access in OgSelectionHandler::buildEntityFieldQuery() to OgSelectionHandler only checks that $node exists or $node->uid == $user->uid, but does not check $node->nid. At some point in the form render process, a stub $node is created, so these checks succeed even though the content does not yet exist.

This patch checks $node->nid explicitly. Patch is against 7.x-2.x.

Comment	File	Size	Author
#7	1797088-og-node-craete-perm-7.patch	2.95 KB	amitaibu
#7
#4	og-selection-update-create_7.x-2.x.patch	4.85 KB	ezheidtmann
#4
#3	og-selection-update-create_7.x-2.x.patch	5.3 KB	ezheidtmann
#3
#3	og-selection-update-create_7.x-2.x-tests-only.patch	3.9 KB	ezheidtmann
#3
	og-selection-update-create_7.x-2.x.patch	1.4 KB	ezheidtmann

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

amitaibu

Hebrew

Israel

CreditAttribution: amitaibu commented 27 September 2012 at 19:53

Nice. Any chance for a test, to prevent regressions?

Comment #2

ezheidtmann CreditAttribution: ezheidtmann commented 27 September 2012 at 22:43

With pleasure. I'll work on it now.

Comment #3

ezheidtmann CreditAttribution: ezheidtmann commented 27 September 2012 at 23:36

File	Size
og-selection-update-create_7.x-2.x-tests-only.patch	3.9 KB

og-selection-update-create_7.x-2.x.patch	5.3 KB

Comment #4

ezheidtmann CreditAttribution: ezheidtmann commented 27 September 2012 at 23:41

File	Size
og-selection-update-create_7.x-2.x.patch	4.85 KB

First patch had an unused test...() method. This one has same functionality, no cruft.

Comment #5

amitaibu

Hebrew

Israel

CreditAttribution: amitaibu commented 29 September 2012 at 17:06

Status:

Needs review

» Needs work

Thanks!

Lets move the test under OgNodeAccess
The test seems to be trying to do a lot. Can't we just assert node_access() with the permission and without?

Comment #6

ezheidtmann CreditAttribution: ezheidtmann commented 1 October 2012 at 02:12

Assigned:

ezheidtmann

» Unassigned

I won't have a chance to work on this patch again any time soon, so please feel free to move it to where it needs to be.

And (I believe) we have to do the test this way because the bug is in OgSelectionHandler. Even without this patch, og_user_access_entity() still returns the appropriate value.

(Perhaps there is deeper bug that doesn't double check the permissions upon group content creation?)