Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Users can add content to groups where they don't have "create content" permission.
Setup
- Create user with "create article content" permission in group A and only "update article content" permission in another group B.
- As this user, create an article in group A.
- Edit this article and change group selection to group B.
(I'm unable to test form submission at this moment due to another bug)
Fix
In OgSelectionHandler, only include a group in which the user has "update" permission if the node is already in that group.
Comment | File | Size | Author |
---|---|---|---|
#10 | 1816752-og-update-10.patch | 7.23 KB | amitaibu |
#8 | 1816752-og-update-8.patch | 6.42 KB | amitaibu |
#7 | update-testonly.patch | 2.9 KB | ezheidtmann |
#7 | update-withtest.patch | 4.36 KB | ezheidtmann |
#3 | og-test.2012-10-22.patch | 2.83 KB | ezheidtmann |
Comments
Comment #1
amitaibuWhy
isset($node_groups)
? -- it's not declared before.Also, can you add a test for it under
OgNodeAccess
Comment #2
ezheidtmann CreditAttribution: ezheidtmann commentedYea, I'll try to write a test.
The
isset($node_groups)
saves repeated calls to og_get_entity_groups() within that loop.Comment #3
ezheidtmann CreditAttribution: ezheidtmann commentedHere's a test that, if it works right, should pass in current code but fail with the fix applied. Not sure at the moment how to invert the logic ...
Comment #5
ezheidtmann CreditAttribution: ezheidtmann commented#3: og-test.2012-10-22.patch queued for re-testing.
Comment #7
ezheidtmann CreditAttribution: ezheidtmann commentedFirst patch has test only; should fail. Second patch should pass.
Comment #8
amitaibuThanks. I've changed the test to something more simple, as we don't need to create new roles; and it's always better to test the select list itself using XPath.
Comment #10
amitaibuComment #11
amitaibuCommitted, thanks.