Permissions of outsider roles are ignored for members [#2898655]

Problem/Motivation

In a group type, I have a role "Moderator" (in Group it is one of the Outsider roles) to which I set the permission: "Group membership: Administer group members"
When accessing the page "/group/{groupNr}/members", the Moderator get the message "Access denied, You are not authorized to access this page." The access can only be granted if I set the permissions "Administer group", but this option gives too much access rights.

Another case: A role Group manager with permissions "Access the Group overview page" but without "Bypass group access control". A user with Group manager role is also member of a few groups. At the groups overview page at /admin/group, this user can only edit those groups of which he is _not_ a member. Being a member disables access to editing the group.

Comment	File	Size	Author
#5	group-fix-outsider-as-member-2898655-5.patch	587 bytes	Sutharsan
#5	8.x-1.x: PHP 7.2 & MySQL 5.7, D8.9.20 5,063 pass, 7 fail
#3	group-fix-outsider-as-member-2898655-3.patch	937 bytes	recrit
#3	8.x-1.x: PHP 5.5 & MySQL 5.5, D8.5 61 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

Anonymous (not verified) CreditAttribution: Anonymous commented 31 July 2017 at 12:35

vlalieu created an issue. See original summary.

Comment #2

recrit CreditAttribution: recrit commented 6 November 2017 at 18:40

Is "Moderator" a group role or an outsider / Drupal role?
I had a similar issue when a user with a privileged outsider role and also a member of the group. If they lost permissions granted to the outsider role.

Comment #3

recrit CreditAttribution: recrit commented 6 November 2017 at 18:48

Status:

Active

» Needs review

File	Size
group-fix-outsider-as-member-2898655-3.patch	937 bytes
8.x-1.x: PHP 5.5 & MySQL 5.5, D8.5 61 pass

@vlalieu to fix your issue, the view at "/admin/structure/views/view/group_members/edit/default" can be updated to use "Access: Group permission: Group membership: View individual group members" instead of Administer members.

The attached patch adds the outsider roles for members also. This allows outsider admins to be able to administer members and group admins to have limited admin access.

Comment #4

Sutharsan CreditAttribution: Sutharsan at LimoenGroen commented 13 January 2022 at 10:15

Title:	Permission "Group membership: Administer group members" does not seem to work	» Permissions of outsider roles are ignored for members
Component:	Group (group)	» Code
Issue summary:	View changes

I think I got to the bottom of this. Thanks to @recrit for the patch, it got me into the right direction.

I retraced the history of this code and found #2883238: Move the grolesync module to the main module for outsiders only.. Where the patch below creates the logic which causes the problem.

@@ -88,13 +99,19 @@ class GroupRoleStorage extends ConfigEntityStorage implements GroupRoleStorageIn
 
       // Add the implied group role IDs.
       if ($include_implied) {
+        $group_type = $group->getGroupType();
+
         if ($membership !== FALSE) {
-          $ids[] = $group->getGroupType()->getMemberRoleId();
+          $ids[] = $group_type->getMemberRoleId();
+        }
+        elseif ($account->isAnonymous()) {
+          $ids[] = $group_type->getAnonymousRoleId();
         }
         else {
-          $ids[] = $account->isAnonymous()
-            ? $group->getGroupType()->getAnonymousRoleId()
-            : $group->getGroupType()->getOutsiderRoleId();
+          $ids[] = $group_type->getOutsiderRoleId();
+          foreach ($account->getRoles(TRUE) as $role_id) {
+            $ids[] = $this->groupRoleSynchronizer->getGroupRoleId($group_type->id(), $role_id);
+          }
         }
       }

The elseif introduced the problem:

Before the issue the situation was

if member then doMemberSuff
else (if anomymous then doAnonymousStuff else doTheRest)

This was changed to

if member then doMemberSuff
elseif doAnonymousStuff
else doTheRest

Now doTheRest is no longer called if one is a member.

Comment #5

Sutharsan CreditAttribution: Sutharsan at LimoenGroen commented 13 January 2022 at 10:25

File	Size
group-fix-outsider-as-member-2898655-5.patch	587 bytes
8.x-1.x: PHP 7.2 & MySQL 5.7, D8.9.20 5,063 pass, 7 fail

This patch fixes just the elseif and with that brings back the original high-level logic.

I have compared the result of the code in #3 and #5 that generates the extra roles related to the outsider roles. And concluded that the additional code that #3 adds does not add extra value. I prefer that #5 reduces the complexity and #3 adds more.