Hi. I've tried to review all the OG issues and don't seem to see this discussed (or at least not asked this way).

I have several core user roles, one of which does not have Create Group Post permissions. (i.e. node: Group Post: Create new content is unchecked at admin/people/permissions for the role)

A user with this role is a member of a group

Members of this group do have Create Group Post permissions (i.e. Organic Groups: Create Group Post content is checked for members at admin/config/group/permissions/node/group, with the group using Group Roles and Permissions: Use Default Roles and Permissions)

When the user goes to node/add, they see Group Post as a content type they can add.

Why? They don't have permission for adding this content type based on their user role. The OG permissions seem to be overriding the core permissions. Is that by design?

My goal is to let users be in groups, but to control what they can do a group based on their user role, not (just) their group role.

Is this possible?

-- hanksterr7

INTERESTING repro steps:
-- remove all Create permissions for authenticated user role at node section of admin/people/permissions
-- log in as a user who only has the authenticated user role.
-- go to node/add. Get Access Denied error
-- go to og page (list of groups), find a group and request membership. group is set to not allow user to join without approval. Group does allow members to create Group Posts
-- go to node/add. Still get Access Denied error (user's status is Pending in group)
-- log out, and back in as admin user. Go to group/node/#/admin/people/add-user and promote the user from Pending to Active in the group
-- log out and back in as the authenticated user.
-- go to node/add. Options are now offered for creating Group Post. Is this a bug????


hanksterr7’s picture

Category: support » bug

Changing category to bug report, based on what is offered in Repro steps

hanksterr7’s picture

Issue summary: View changes

Adding repro steps

hanksterr7’s picture

Found a work-around (but I don't like that I had to do this)

Did the following:
-- Removed ability for group members to create group posts
-- Created a new Group Role called Group Author. This role has Create Group Post permissions
-- Installed the OG Role Override module.
-- Granted 'Act as role "group author" in OG Node Group groups' to my desired user role (called "content manager")

Now, authenticated users can join groups but they can not post content to the group. If the user gets the content manager user role, they automatically get the Group Author group role, and (assuming the group is using default roles and permissions), they can now create group posts to the group. An authenticated user can also be manually granted the Group Author role in one or more of their groups. When this is done, and they try to create Group Posts, the Group Audience box will show only those groups for which they have the Group Author group role (nice!)

So permissions linked to OG roles for content create/edit/delete override permissions linked to user roles. But with this workaround, via the OG Role Override module, I can get the two permissions systems to work together in the way I want.

-- hanksterr7

hanksterr7’s picture

Issue summary: View changes

edited repro steps

aronne’s picture

Just install OG Content Administration and retry.
It already solves this kind of bug.

joevagyok’s picture

check this: admin/config/group/settings

Strict node access permissions
When enabled Organic groups will restrict permissions for creating, updating and deleting according to the Organic groups access settings. Example: A content editor with the Edit any page content permission who is not a member of a group would be denied access to modifying page content in that group. (For restricting view access use the Organic groups access control module.)

hanksterr7’s picture


I do have the OG setting: "strict node access permissions" enabled.

So, it seems that with this setting enabled, then the core "node" permissions are ignored for content types that can be placed into groups. If a user does not have the core "node" permission for creating an instance of a content type, but has the OG permission for creating an instance of a content type (for a content type that can be placed in a group), then the user WILL be able to create the content type instance.

That is surprising (and I'm not sure this is desirable).

By the description of the setting, I would have expected OG to further restrict what the core "node" permission afforded, but not to provide a permission that the core "node" permission did not provide.

I have not tried OG Content Administration. The description of that module did not suggest it would fix this issue.

BTW, I have given up on OG Role Override. It has many deficiencies. See https://www.drupal.org/node/2533808