To Reproduce
Login as user that has OG permission 'update own page content' but lacks 'create page content' in a group. Go to create page form. Said group is listed in group audience field. Select that group, fill out the form, and create page content.
Expected behavior
Said group will not be listed in group audience field and creation of page in group will not be allowed.
Reason + patch
The access check added in #1541672: Don't check "create" access in OgSelectionHandler::buildEntityFieldQuery() to OgSelectionHandler only checks that $node
exists or $node->uid == $user->uid
, but does not check $node->nid
. At some point in the form render process, a stub $node
is created, so these checks succeed even though the content does not yet exist.
This patch checks $node->nid explicitly. Patch is against 7.x-2.x.
Comments
Comment #1
amitaibuNice. Any chance for a test, to prevent regressions?
Comment #2
ezheidtmann CreditAttribution: ezheidtmann commentedWith pleasure. I'll work on it now.
Comment #3
ezheidtmann CreditAttribution: ezheidtmann commentedComment #4
ezheidtmann CreditAttribution: ezheidtmann commentedFirst patch had an unused test...() method. This one has same functionality, no cruft.
Comment #5
amitaibuThanks!
Comment #6
ezheidtmann CreditAttribution: ezheidtmann commentedI won't have a chance to work on this patch again any time soon, so please feel free to move it to where it needs to be.
And (I believe) we have to do the test this way because the bug is in OgSelectionHandler. Even without this patch, og_user_access_entity() still returns the appropriate value.
(Perhaps there is deeper bug that doesn't double check the permissions upon group content creation?)
Comment #7
amitaibuCompletely overhauled test.
Comment #8
amitaibuCommitted.
Comment #9
amitaibu