Problem/Motivation

Group Authorization doesn't support the recommended versions of Group module, 2.0 and 3.0, blocking updating of Group module.

Steps to reproduce

Changing my composer.lock dependency to group 2.0, I was able to update to Group 2.0 to see how Group Authorization would fare, and got this error on the Group Authorization UI page:

Error: Call to undefined method Drupal\group\Entity\GroupRole::isInternal() in Drupal\authorization_group\Plugin\authorization\consumer\GroupConsumer->buildRowForm() (line 65 of modules/contrib/authorization_group/src/Plugin/authorization/Consumer/GroupConsumer.php).

Proposed resolution

Group Authorization needs a 2.0.0 version compatible with Group 2.0/3.0

Remaining tasks

User interface changes

API changes

Group API changes are documented here:
https://www.drupal.org/docs/extending-drupal/contributed-modules/contrib...

Data model changes

In the Group 2.0 release notes, roles have been completely reworked:
https://www.drupal.org/project/group/releases/2.0.0

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

KarlShea created an issue. See original summary.

karlshea’s picture

Hitting "The calculator "Drupal\group\Access\IndividualGroupPermissionCalculator" returned permissions for scopes other than "individual""

See #3352235-8: An already assigned individual role can be made out/insider, leading to a crash in the permission calculation

Also make sure you do not try to assign an insider or outsider role to a membership via code.

??

Edit: Nevermind! My converted roles were screwed up.

karlshea’s picture

To support Group 4.x in the future we'll run into https://www.drupal.org/node/3383363

karlshea’s picture

This is working, but on login is throwing messages about insider roles being revoked.

karlshea’s picture

@bluegeek9 you were right, it should have been !$role->getGlobalRoleId(), it was because my roles were screwed up.

karlshea’s picture

Status: Active » Needs review

All committed to 2.0.x-dev, but it's working for me using Group 2.2.1!

willabby’s picture

Thank you for your quick response! I have applied the 2.0.x-dev version and all errors are gone. It has been several years since I set up Group, so trying to wrap my head around the new permissions/roles.

When I updated group authorization to 2.0.x-dev version, and checked on the group assignments, all my Group and Roles were empty. All my LDAP Queries map to a "member" role. I went back to my groups and noticed that on updating to Group 2.2.1 it converted my Member role to "Insider" which is "Assigned to all members who have the corresponding global role." Technically all my members are also authenticated users, so that I guess makes sense? But I switched the role to "Individual" since I need it to show on the group assignment page, and when I refreshed, member was restored to the Group and Roles drop down.

Any chance you could tell me what the difference is between those two types of roles? And, why Group Authorization only recognizes the "Individual" role?

willabby’s picture

Issue summary: View changes

  • bluegeek9 committed 552daadb on 2.0.x
    Issue #3398495 by bluegeek9: Group 2.0/3.0 compatibility
    
bluegeek9’s picture

Assigned: Unassigned » bluegeek9
Status: Needs review » Active
StatusFileSize
new28.18 KB
new33.91 KB

I tested with a fresh install.

I created a new group type. There were two default Administrator roles, an inside, and an outsider. I created a new role, Superstar as an Individual.

I think we need to include an option for role 'None'.

Authorization profile

Group membership

Group roles can belong to one of three scopes:

Outsider: Assigned to all non-members who have the corresponding global role.
Insider: Assigned to all members who have the corresponding global role.
Individual: Can be assigned to individual members.

Outsider and Insider roles are automatically granted based of Drupal roles. If you need a user from an LDAP group mapped to an Outsider role you need to use the authorization_drupal_roles module, part of the authorization project. To map a user to an Insider role, they must be a member, and they must have the corresponding Drupal role.

group (2.2.1)
authorization (1.1)
authorization_group (2.0.x-dev)
ldap (4.5.0)

karlshea’s picture

The thing that's kind of weird about Outsider/Insider roles vs the older versions of groups is that you'll need to create duplicate roles (one outsider, one insider) if you don't want a user to lose permissions when becoming a member. That's nothing to do with this module though, it's just a heads-up since it works a little differently.

karlshea’s picture

I think we need to include an option for role 'None'.

Yeah agree here, we should be able to create the membership without assigning roles.

If you need a user from an LDAP group mapped to an Outsider role you need to use the authorization_drupal_roles module

Or an Insider role: you'd map them to the global role using authorization_drupal_roles, and map them to the group using this module. The Insider role would get picked up automatically.

bluegeek9’s picture

Assigned: bluegeek9 » Unassigned

I added the 'None' role, but the revokeGrants needs to be updated. I think we should add a base field to the user entity to track the group:roles granted to a user by the authorization_group, like authorization_drupal_roles does for roles. This would also allow us to revoke only memberships granted by authorization.

karlshea’s picture

I don't disagree in theory, but that would leave existing installs in a weird state where if they updated then none of the existing roles would be cleared since they don't exist in that field. Unless an update hook was written to pre-fill those values for every user with a role, but is having that hook making the right assumptions?

I also don't have much more time I can put into this module at the moment past possibly taking a look at updating revokeGrants.

Do we just want to cut a release where it keeps working the way it has been? Or should 2.x stay as just a dev release until a decision is made?

bluegeek9’s picture

I created a new issue to handle the new field.

I think the way revokeGrants works currently is it removes any group:role which a mapping exists for, but the user was not granted by a provider.

We can add the field, and bulk inserts users' current group:role memberships, which a mapping exists for. This retains the existing behavior for existing users and add the ability to manually assign a user.  

#3399106: Revoke membership and roles previously assigned by authorization

I think we can hold off on a 2.0.0 release for another week. There are 13 sites using the module.

karlshea’s picture

Sounds good to me!

bluegeek9’s picture

Status: Active » Needs review

My main contribution was unit test. I also made small changes. I did remove submitRowForm, because the Authorization module does this for us, just not in parent::submitRowForm().

bluegeek9’s picture

Status: Needs review » Fixed

  • bluegeek9 committed de07d135 on 2.0.x
    Issue #3398495 by KarlShea, bluegeek9: Group 2.0/3.0 compatibility
    

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.