Security advisory for group module

wxt includes version 1.6 of the group module which is unaffected by the security advisory

lowering to normal, since wxt is currently not affected.

GROUP support Status
8.x-1.x Drupal 8 / 9 Security fixes only
2.x.x Drupal 9 / 10 Upgrade path from 8.x-1.x
3.x.x Drupal 9 / 10 For fresh installs
It is a good point that Wxt is using an expired generation of this contrib line.
- upgrade paths? Wxt weould need to go group v2 first then (next release? go to v3)

@PratikshaD
related question if i may:
- how did you download and install Wxt?
- what php version are you running?

bug.

re: Group Upgrade paths? Wxt weould need to go group v2 first then (next release? go to v3)

Note: Other contrib projects used in WxT may need similar version evaluation for version progression

I was able to apply the patch, I but ran composer update -W after that and the module wasn't upgraded, maybe I am missing something?

@danrod, when you run compose update, dependencies are calculated before patches are applied. This means you can't patch a composer.json file to change the module version like this. You would have to do this in your root composer.json file, for example:

"require": {
  "drupal/group": "2.0.0 as 1.6.0"
}

Agreed since they say group 1.6 isn't supported in D10 this is probably something we have to do.

Sadly I do notice that there are no corresponding patches for the 2.x.x line so I'm hoping the problem is just fixed that those patches were attempting to address.

            "drupal/group": {
                "Enter drupal/group patch #2817109 description here":
                "https://www.drupal.org/files/issues/2817109-by-rachel_norfolk-ericras-How-to-redir.patch",
                "Enter drupal/group patch #2864721 description here":
                "https://www.drupal.org/files/issues/2020-07-30/group-translate_content_permission-2864721-20.patch",
                "Enter drupal/group patch #2895988 description here":
                "https://www.drupal.org/files/issues/2022-07-31/2895988-29.patch"
            },

Becomes

            "drupal/group": {
                "Enter drupal/group patch #2817109 description here":
                "https://www.drupal.org/files/issues/2022-11-02/2817109-2.0.x-how-to-redirect-30.patch"
            },

I did push the patch to the 5.0.x and can cherrypick into 5.1.x but I'm concerned about those patch changes.

@sylus
I do agree we need to cycle back and review those 2 patches, verify if contrib has 'fixed' in some other way.
otherwise
- see if those issues continue in other issues now.
- port those patches for Group 2.x. if still needed..

We've been developing recently with group 3.2.2 without any patches.

With that said, we're using the group module, not wxt_ext_group and a recent build of wxt 5.0.x

Group 3.2.2 is working thusfar for our purposes without any patches.

I am unfamiliar with wxt_ext_group.

As far as I'm concerned, this doesn't inhibit our desire to upgrade to 5.1.x

Whatever you go with, we'll override the group version and go with 3.2.2 and add patches-ignore for any broken patches.

What we're most impatient for is a tagged release of 5.1.0-rc1

We're fine with whatever happens with the group module and we will just override composer requirements for this module as needed.

@joseph

#2864721: Group-Permission to translate content
#2895988: Improve performance of the membership loader
loosing these are release manager notes for sure for now.
However, if indeed we are okay in keeping v1 group because it doesn't have the security bug -- then we can PAUSE THIS (revert dev) ISSUE untill we can verify, recover these patches (should be low trouble..)

fyi: I should be able to do this over the next few days. i do have some some other day tasks right now (:

-> going to v3 Group we'll need an upgrade path for COMMENT #6. again, we still need to verify the patches/functionality is 'in scope'

please also merge into 5.1.x

Hmm, if this was merged into 5.1.x and pushed into the gitlab repos, normally drupal.org will add the commits into this issue as they have the issue number. I'll check 5.1.x now

I just checked 5.1.x, neither of these commits made it into head.

Probably should merge 5.0.x into 5.1.x

I just did a merge locally of 5.0.x to 5.1.x, it's easy enough to sort out the conflicts and they all make sense, mostly just info files for wxt version numbers and some of the changelog, should be easy to sort out manually.

keep the 5.1.x numbers and jettison the 5.0.x of the merge conflict
there's many .info.yml files to sort out but I think the easiest way to get all the 5.0.x fixes into 5.1.x is to simply merge 5.0.x into 5.1.x and resolve the rather simple to resolve conflicts that I'm seeing in my cloned repo of wxt.

I also compared the latest of 5.0.x with the latest of 5.1.x, I don't see anything in the merge of 5.0.x into 5.1.x other than what was mentioned that would cause problems.

re: group patches

2895988 - purpose of patch: to add caching to permission lookups.
These seems to be resolved in the Group v2 line by the refactoring around GroupMembershipLoader() now uses a 'NewGroupMembership' (class alias) which uses CacheableDependencyInterface (didn't exist in group1 timeline/lifespan). Seems to negate the need for this patch!
class GroupMembership implements CacheableDependencyInterface {

notes:
group 2.2 composer addition module 'flexible_permissions'. needs activation. we may need to pre-patch (include '?' syntax), module now yet active but post cache clear. can not yet run updb!!
group.service.yml --> arguments: ['@?flexible_permissions.chain_calculator']

@sylus & @joseph.olstad:

re: #2864721: Group-Permission to translate content
would either of you perhaps know if https://www.drupal.org/project/group_permissions be a substitute for this patch? I gather this project would let us build in the same permission to 'translate {gnode} entity'?

secondly, from the original patch on 1.6 where the UI/checkbox options get added?

Thanks @SKAUGHT and I took a look at the other patch and it seems its also resolved and mentioned in this comment here:

https://www.drupal.org/project/group/issues/2864721#comment-13928947

Using Drupal 9.1 with Groups, no longer requires this patch (#2864721). It is resolved in Drupal 9.1 (and likely with patch https://www.drupal.org/project/drupal/issues/2972308 for previous Drupal versions).

The next comment references functionality we might lose but seems like can be added by group_permissions as you suggested.

I pushed an update to group ^2.2 with the patches removed and just want to test an upgrade.

Then can look at adding that module.

Okay with flexible_permissions added and enabled in an earlier release.

Group has been updated to ^2.2 with the comments above still being correct.

Marking this ticket as Fixed after confirming 5.2.x and 5.3.x both have the drupal/group ^2.2, with flexible_permissions.