Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If a user has global "administer group" permission, og_user_access also gives her all content permissions that exist in a group. (also see #1318036: og_node_access() "administrator members" can delete ANY group content.)
This is way too much for many use cases, and can't be changed currently.
Comments
Comment #1
geek-merlinHere's a patch that opens the door to fixing this *without* breaking legacy installations:
* we already have a variable 'og_group_manager_full_access'
* this patch implements the same for group admin as 'og_group_admin_full_access'
Comment #2
amitaibuBut that's exactly the point of that permission, so I'm not clear about the issue.
Comment #3
geek-merlinthere are 2 levels about this that should NOT be mixed:
* administer groups
* override all group content permissions
an example that we've been running into:
* we modeled some node-create permissions per language
* these permissions are set per country group
now a group admin would be able to create content in any language which is not wanted.
Comment #4
amitaibu> * we modeled some node-create permissions per language
In that case I think you should look at #1865944: Allow implementing modules to change the My/Other groups selection -- where the group-audience logic is custom.
(If you think differently please open the issue)
Comment #6
geek-merlinThe issue in #4 has its use cases but does not fix the underlying problem here.
As to #2:
We have several projects where we need a different permission for
a) can administer groups in the sense of add/delete users
b) has full access to all group (view, edit etc) rights
there are use cases for a-and-not-b as well as b-and-not-a.
In the meantime i added that variable introduced in #1 to the ui settings.
Comment #8
geek-merlinHEAD ran away, rerolled.
Also see my comment in #6.
Comment #9
amitaibuI'm not a fan of this approach, it hardcodes assumptions. Why not use
hook_og_access_alter()
to set the access according to your business logic?Comment #10
azinck CreditAttribution: azinck commentedHere's a slightly different approach to this problem. This patch creates global permissions for every OG role (and every group type) so that you can grant someone select OG roles in *all* groups of a given type without having to make them a member of all the groups.
Comment #11
geek-merlinFrom a first look i think the patch in #10 is very elegant and should solve the original problem.
Did not come to test it yet but if it works i'm all for it.
Comment #12
geek-merlinComment #13
amitaibu> Why not use hook_og_access_alter() to set the access according to your business logic?
in my opinion, this question is still valid.
Comment #14
azinck CreditAttribution: azinck commented@Amitaibu in #13:
I agree that folks can solve this themselves in hook_og_access_alter(). I've used the same basic approach as in #10 but just implemented via hook_og_occess_alter() on a few projects of my own..
That said, the approach I took avoids specific business logic assumptions and solves a variety of use-cases that I've run across when building sites with OG 2.x. I thought it might be helpful to add it to the module.
Comment #15
amitaibuProblem is that it adds a lot of new permissions - that could be overwhelming.
Comment #16
azinck CreditAttribution: azinck commentedWhat if there were an option on the OG role to choose to expose it as a global permission?
Comment #17
azinck CreditAttribution: azinck commentedRe-rolled against 2.x-dev
Comment #18
azinck CreditAttribution: azinck commentedUpdated slightly to work properly when a group has overridden permissions.
Comment #20
azinck CreditAttribution: azinck commentedOops, that needed parentheses. Fix attached.
Comment #21
azinck CreditAttribution: azinck commentedThis needs more work; I've run into trouble with assumptions made by OG's entityreference widget.
Comment #22
amitaibuSince it's touching access, it will require also tests