Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Currently it is possible to create gnodes for any accessible node, even for nodes which do not belong to the creator of gnode in a group.
Example
- Precondition: User u1 is member of group g1 and is author of node n1. User u2 is member of no group, but author of node n2.
- Step: u1 can create a gnodes for node n2 using /group/GID/node/add/CONTENTTYPE, although it is not their node
- Result: u2 is still the author of n2, but since u2 is not a member of g1, they cannot access their node anymore
Proposed resolution
Only authors of nodes should be able to create gnodes for their own nodes in a group.
And/Or we should differentiate between more permissions for every content type plugin (like article). Currently there is only a permission "Article: Create new content". Additionally we need permissions like:
- Article: Add own existing content
- Article: Add any existing content
Comments
Comment #2
kristiaanvandeneyndeI am more in favor of your second idea. Although the use case of relating a node to a group should be far less common than the case where a node is created in a group (using the wizard).
In some way it makes sense that someone with enough power to group global nodes (usually admins), that the node is then stripped from anyone who isn't part of the group.
Imagine the use case where there is a group called "Review reported content". When content is reported, it is added to that group so only reviewers can still see it. Once reviewed, it could be made public again or have further action taken against it.
Comment #3
kristiaanvandeneyndeComment #4
dalra CreditAttribution: dalra commentedHaving a permission to Add own existing content would prevent users from breaking the site.
Any chance for this to be implemented soon?
Comment #5
zenimagine CreditAttribution: zenimagine commentedComment #6
dalra CreditAttribution: dalra commentedIt would be great to see this implemented in the next release.
There are many use cases where only the node author should be able to add it to a group.
Comment #7
dwwAuthors aren't necessarily men. Updated title and summary accordingly.
Meanwhile, +1 to using permissions for this, not hard-coding the specific behavior.
Thanks,
-Derek
Comment #8
dianacastillo CreditAttribution: dianacastillo as a volunteer and commentedhas anyone done any work on this I can add to or test?
Comment #9
dianacastillo CreditAttribution: dianacastillo as a volunteer and commentedI know this is not the "right " way to do it but as a quick hack I added in
/modules/contrib/group/modules/gcontent_field/src/Plugin/Field/FieldWidget/GroupSelectorWidget.php
in the function getAllowedgroups
$account = $this->currentUser ->get Account;
foreach ($groups as group){
if ($group->getMember($account}{
}else{
continue;
}