og_membership_access() doesn't take into account actual group permissions.

The problem seems a general one to me, indeed. Moving to bug instead of Feature Request. As it stands, the function goes against the permissions available in the UI for groups. Particularly:

Manage members
Users may remove group members and alter member status and roles. Warning: Give to trusted roles only; this permission has security implications in the group context.

So according to that, any user with that permission should be granted access to the membership entity.

Patch attached to solve it.

Doh... patch correct, but badly created so it won't apply, I'll attach the right one asap T_T.

@slv_ just need --relative flag inside the og folder I guess for git diff?

Let's see now!

Right, I'm confident the patch is correct now, and was applied successfully. Problem is there's already a test failing in the branch, which is not related to this patch, but makes the tests fail.

The failing test seems to be there since January -> https://www.drupal.org/pift-ci-job/584179.

This is the test for the patch uploaded in previous comment: https://www.drupal.org/pift-ci-job/605815. Same failure. Marking as needs review, as I suppose it can be RTBC regardless of the other issue.

Is there an issue for that failure?

I've just created it https://www.drupal.org/node/2859078.

It also seems that one was in place from some time ago? Just found this (https://www.drupal.org/node/2770927#comment-11429029).

Thanks. Yeah, it would be great if you could tackle the failing test. Also, I'd love to have a simpleTest to assert the access change introduced in this patch

I'm attaching a re-rolled patch that will apply cleanly on the newest version of the module.

@nplowman that doesn't quite look like a re-roll. Did you mean to remove the user_access check?

@joelpittet Actually og_user_access() does the checking of user_access('administer group'), so I think checking og_user_access is enough and working. (Tested with OG 2.10)