Problem/Motivation

Currently it is possible to create gnodes for any accessible node, even for nodes which do not belong to the creator of gnode in a group.

Example

  • Precondition: User u1 is member of group g1 and is author of node n1. User u2 is member of no group, but author of node n2.
  • Step: u1 can create a gnodes for node n2 using /group/GID/node/add/CONTENTTYPE, although it is not their node
  • Result: u2 is still the author of n2, but since u2 is not a member of g1, they cannot access their node anymore

Proposed resolution

Only authors of nodes should be able to create gnodes for their own nodes in a group.

And/Or we should differentiate between more permissions for every content type plugin (like article). Currently there is only a permission "Article: Create new content". Additionally we need permissions like:

  1. Article: Add own existing content
  2. Article: Add any existing content

Comments

arthur_mueller created an issue. See original summary.

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented

I am more in favor of your second idea. Although the use case of relating a node to a group should be far less common than the case where a node is created in a group (using the wizard).

In some way it makes sense that someone with enough power to group global nodes (usually admins), that the node is then stripped from anyone who isn't part of the group.

Imagine the use case where there is a group called "Review reported content". When content is reported, it is added to that group so only reviewers can still see it. Once reviewed, it could be made public again or have further action taken against it.

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented
Category: Bug report » Feature request
dalra’s picture

dalra CreditAttribution: dalra commented

Having a permission to Add own existing content would prevent users from breaking the site.
Any chance for this to be implemented soon?

zenimagine’s picture

zenimagine CreditAttribution: zenimagine commented
Version: 8.x-1.0-alpha7 » 8.x-1.x-dev
dalra’s picture

dalra CreditAttribution: dalra commented

Additionally we need permissions like:

Article: Add own existing content
Article: Add any existing content

It would be great to see this implemented in the next release.
There are many use cases where only the node author should be able to add it to a group.

dww’s picture

dww
we/he/they
CreditAttribution: dww as a volunteer commented
Title: Group Node: Only author should be able to create Gnodes for his Nodes » Group Node: Only authors should be able to create Gnodes for their nodes
Issue summary: View changes

Authors aren't necessarily men. Updated title and summary accordingly.

Meanwhile, +1 to using permissions for this, not hard-coding the specific behavior.

Thanks,
-Derek

dianacastillo’s picture

dianacastillo CreditAttribution: dianacastillo as a volunteer and commented

has anyone done any work on this I can add to or test?

dianacastillo’s picture

dianacastillo CreditAttribution: dianacastillo as a volunteer and commented

I know this is not the "right " way to do it but as a quick hack I added in
/modules/contrib/group/modules/gcontent_field/src/Plugin/Field/FieldWidget/GroupSelectorWidget.php

in the function getAllowedgroups

$account = $this->currentUser ->get Account;

foreach ($groups as group){
if ($group->getMember($account}{
}else{
continue;
}