Version: 8.x-1.0-beta2

The user roles on the Members page is not properly displayed. For example see the attached screenshot.

Below are the assigned roles for each member:
user1: Manager
user2: Member (default)

user1 (manager) is given the permission to "Administer group members" thus he is able to see the Members page.

In the Members page user1 see himself and user2 as "None" for the role. However, when admin (global) see the Members page, he sees user1 as Manager and user2 as None.

The correct way display should be as below. Both user1 and admin should see the display below.
user1: Manager
user2: Member

CommentFileSizeAuthor
membership-role-not-showing.png390.72 KBZythyr
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Zythyr created an issue. See original summary.

Zythyr’s picture

Zythyr CreditAttribution: Zythyr commented
Issue summary: View changes
Zythyr’s picture

Zythyr CreditAttribution: Zythyr commented
Version: 8.x-1.x-dev » 8.x-1.0-beta2
kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented
Priority: Critical » Normal

I'll have a look.

Seeing as this is simply a UI bug that does not break your site's functionality, this is far from critical.

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented

It's because they don't receive 'view' access from GroupRoleAccessControlHandler because they do not have the global 'administer group' permission.

I'll see if I can adjust the views handler for that view to allow you to see the role labels without needing 'view' access.

The alternative is granting everyone 'view' access for group roles. I think we may have a security issue on our hands then as it would allow people to see what roles have what permissions if the roles are exposed by accident through REST. If no REST module is enabled, it's fine because we do not have a 'view' route for group roles.

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented
Status: Active » Fixed

So I've given it some thought and went with the idea of giving everyone view access. There's no inherent security risk unless someone decides to expose group types or roles through REST. And when they do that, they have to make sure their API is secure anyhow.

Should be fixed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.