Advertising sustains the DA. Ads are hidden for members. Join today

OG User Roles: Grants

Last updated on
30 April 2025

As of version 5.x-3.0, OGUR writes it's own access grants. However, these grants are highly specialized: They are not provided unless TAC/OG Integration is turned on (because they involve TAC permissions as well). This means you must have the Taxonomy Access Control module installed. These grants allow us to let users see content they have access to outside of group context.

For example, if ogr_access grants are written, when a user clicks on "Recent Posts", he can see all nodes in all groups that he has access to. When these grants aren't written, the user can only see the nodes he has access to from the group he is currently in.

These grants are not, however, critical to OGUR operation.

Please note that ogr_access grants are written ONLY IF:

a. TAC/OG Integration is turned on.
b. You have defined users with OG roles.
c. You have defined content that these OG roles will have access to.
d. Said content is associated with a vocabulary.

Here's the code that creates the ogr grants in hook_node_access_records:.

    // This creates all ogr grants
   
    $where = "WHERE ta.rid = ogr.rid AND n.nid = ".$node->nid;
    $result = db_query("SELECT n.nid, ta.rid, ogr.ogr_id, BIT_OR(ta.grant_view) AS grant_view, BIT_OR(ta.grant_update) AS grant_update, BIT_OR(ta.grant_delete) AS grant_delete FROM {term_node} n INNER JOIN {term_access} ta ON n.tid = ta.tid INNER JOIN {og_ancestry} oa ON n.nid = oa.nid INNER JOIN {og_users_roles} ogr ON oa.group_nid = ogr.gid $where GROUP BY n.nid, ta.rid");
   
    while($row = db_fetch_object($result)) {
      if ($row) {
        $grant_view = ($row->grant_view == 1) ? 1 : 0;
        $grant_update = ($row->grant_update == 1) ? 1 : 0;
        $grant_delete = ($row->grant_delete == 1) ? 1 : 0;

        $grants[] = array(
          'realm' => 'ogr_access',
           'gid' => $row->ogr_id,
           'grant_view' => $grant_view,
           'grant_update' => $grant_update,
           'grant_delete' => $grant_delete,
          'priority' => 0,
        );
      }
    }

As you can see, if there is no access defined for the node in term_node and term_access, then no ogr_access record will be written.

If there is term_access defined (i.e., the node is associated with taxonomy vocabulary), then OGUR will write the appropriate grants to the Drupal node_access table in the ogr_access realm. The gid of ogr_access grants is the ogr_id column from the og_users_roles table.

See discussions on this here:

If ogr_access grants do not appear in the Multinode Access UI
In order to see the ogr_access realm in the multinode access table as user 1, user 1 must belong to at least one group and have at least one OGUR "Member role" configured in that group.

Help improve this page

Page status: Not set

You can: