Hi. I've tried to review all the OG issues and don't seem to see this discussed (or at least not asked this way).

I have several core user roles, one of which does not have Create Group Post permissions. (i.e. node: Group Post: Create new content is unchecked at admin/people/permissions for the role)

A user with this role is a member of a group

Members of this group do have Create Group Post permissions (i.e. Organic Groups: Create Group Post content is checked for members at admin/config/group/permissions/node/group, with the group using Group Roles and Permissions: Use Default Roles and Permissions)

When the user goes to node/add, they see Group Post as a content type they can add.

Why? They don't have permission for adding this content type based on their user role. The OG permissions seem to be overriding the core permissions. Is that by design?

My goal is to let users be in groups, but to control what they can do a group based on their user role, not (just) their group role.

Is this possible?

-- hanksterr7

INTERESTING repro steps:
-- remove all Create permissions for authenticated user role at node section of admin/people/permissions
-- log in as a user who only has the authenticated user role.
-- go to node/add. Get Access Denied error
-- go to og page (list of groups), find a group and request membership. group is set to not allow user to join without approval. Group does allow members to create Group Posts
-- go to node/add. Still get Access Denied error (user's status is Pending in group)
-- log out, and back in as admin user. Go to group/node/#/admin/people/add-user and promote the user from Pending to Active in the group
-- log out and back in as the authenticated user.
-- go to node/add. Options are now offered for creating Group Post. Is this a bug????


hanksterr7’s picture

Category:support» bug

Changing category to bug report, based on what is offered in Repro steps

hanksterr7’s picture

Issue summary:View changes

Adding repro steps

hanksterr7’s picture

Found a work-around (but I don't like that I had to do this)

Did the following:
-- Removed ability for group members to create group posts
-- Created a new Group Role called Group Author. This role has Create Group Post permissions
-- Installed the OG Role Override module.
-- Granted 'Act as role "group author" in OG Node Group groups' to my desired user role (called "content manager")

Now, authenticated users can join groups but they can not post content to the group. If the user gets the content manager user role, they automatically get the Group Author group role, and (assuming the group is using default roles and permissions), they can now create group posts to the group. An authenticated user can also be manually granted the Group Author role in one or more of their groups. When this is done, and they try to create Group Posts, the Group Audience box will show only those groups for which they have the Group Author group role (nice!)

So permissions linked to OG roles for content create/edit/delete override permissions linked to user roles. But with this workaround, via the OG Role Override module, I can get the two permissions systems to work together in the way I want.

-- hanksterr7

hanksterr7’s picture

Issue summary:View changes

edited repro steps

aronne’s picture

Just install OG Content Administration and retry.
It already solves this kind of bug.

joevagyok’s picture

check this: admin/config/group/settings

Strict node access permissions
When enabled Organic groups will restrict permissions for creating, updating and deleting according to the Organic groups access settings. Example: A content editor with the Edit any page content permission who is not a member of a group would be denied access to modifying page content in that group. (For restricting view access use the Organic groups access control module.)