Right now the user gains whatever permissions they have in the parent group.

However, that means, for example, they don't have the permission the members of that child group have (if they have been customized to be different than parent group), and that all admins, etc. of parent group will travel down, which is desirable for some use cases but not other.

Proposal is to add control in how permissions are inherited, allowing parent groups to set whether child groups use permissions from parent or use the default member permission in the child group.

Patch depends on #2028055: Add caching for calculating parent/children. Like that, I try avoiding any extra calls/try to be as performant as possible. For example, when checking access, only check it for the user's group (I think it currently checks all parent groups despite user not being part of the group, meaning users gain whatever access non-member has from the parent, including ability to register for group o.o), and exit out as soon as access has been flipped to true.

CommentFileSizeAuthor
#9 2029123-og_permission_and_cache-9.patch46.84 KBhefox
#8 2029123-og_permission_and_cache-8.patch46.67 KBbeeradb
#6 2029123-og_permission_and_cache-5.patch45.79 KBbeeradb
#4 2029123-og_permission_and_cache-4.patch45.76 KBbeeradb
#3 2029123-og_permission_and_cache-3.patch45.35 KBhefox
#2 2029123-og_permission_and_cache-2.patch45.35 KBhefox
#1 2029123-og_permission_and_cache-1.patch45.36 KBhefox
og_user_permission_inhertence.patch8.31 KBhefox
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review
FileSize
2029123-og_permission_and_cache-1.patch45.36 KB

I was adding tests (the current tests are for 1.x version as far as I can tell, so just scrapped them) and concluded it's much easier to handle one patch than two, so putting the cache issue as postponed and updating the entire patch (permission field and cache) here, though the permission part is a minor part of the patch.

hefox’s picture

hefox CreditAttribution: hefox commented
FileSize
2029123-og_permission_and_cache-2.patch45.35 KB

The oops of copy and pasting membership_type instead of membership hook continues, fixing.

hefox’s picture

hefox CreditAttribution: hefox commented
FileSize
2029123-og_permission_and_cache-3.patch45.35 KB

Fixing a place that didn't get updated

beeradb’s picture

beeradb CreditAttribution: beeradb commented
FileSize
2029123-og_permission_and_cache-4.patch45.76 KB

Here's a re-roll, which allows for the $filtered parameter on child groups as well.

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs review » Needs work 
+++ b/og_subgroups.common.inc
@@ -312,79 +235,176 @@ function _og_subgroups_get_inherited_users($group_type, $group_id, $states = arr
+function og_subgroups_parents_load($group_type, $group_id, $filter = TRUE, $fetch_all = TRUE, $include_current = FALSE, $reset = FALSE) {
...
+function og_subgroups_children_load_multiple($groups, $fetch_all = TRUE, $filter = TRUE, $include_current = TRUE, $reset = FALSE) {

Different order of $fetch_all vs $filter?

+++ b/og_subgroups.common.inc
@@ -312,79 +235,176 @@ function _og_subgroups_get_inherited_users($group_type, $group_id, $states = arr
+function og_subgroups_children_load($group_type, $group_id, $fetch_all = TRUE, $include_current = FALSE, $reset = FALSE) {
...
+    $groups_all[$cid] = og_subgroups_children_load_multiple(array($group_type => array($group_id)), $fetch_all, $include_current, $reset);

didn't add it to arguments, or update the og_subgroups_childre_load_multiple call

beeradb’s picture

beeradb CreditAttribution: beeradb commented
Status: Needs work » Needs review
FileSize
2029123-og_permission_and_cache-5.patch45.79 KB

Ack, good catch on both points. Fixed with this one.

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs review » Needs work

Need to only clear cache if updating a parent field vs. content

beeradb’s picture

beeradb CreditAttribution: beeradb commented
FileSize
2029123-og_permission_and_cache-8.patch46.67 KB

Here's a re-rolled version.

The previous patch had an issue. Here's a re-roll that includes:

* If the entity_load were to fail within the child_load_multiple or parent_load_multiple functions, the $group_cache key would not be set for that specific $cid, eventually that would trickle down into the og_subgroups_merge_groups function where it would try to merge a NULL value with an array (bad). This new patch addresses that issue by adding a blank array in the event that entity_load is not successful. This also allows it to cache so we aren't calling entity_load on non-existent (or broken) entities all over the place.
* Some minor coding cleanups.

Leaving this as needs work, since the caching work @hefox mentioned still needs to be updated.

hefox’s picture

hefox CreditAttribution: hefox commented
FileSize
2029123-og_permission_and_cache-9.patch46.84 KB

Call to og_subgroups_children_load_multiple wasn't updated for new paramaters when filter was added to og_subgroups_children_load_multiple

hefox’s picture

hefox CreditAttribution: hefox commented
Status: Needs work » Needs review

Oh fixed the cache thing also

mpotter’s picture

mpotter CreditAttribution: mpotter commented
Status: Needs review » Fixed

Been using this in Open Atrium 2 for a while now, so committed this to 4db2260.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.