Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By kristiaanvandeneynde on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
3.3.x, 2.3.x
Introduced in version:
3.3.0, 2.3.0
Issue links:
Description:
When editing a group membership, the UI only allows you to add individual roles to the member. The code base relies on the fact that an outsider or insider role cannot be assigned to a member.
However, when editing an individual role that had already been assigned to members and changing it so that it now belongs to the insider or outsider scope, the above rule was broken and could lead to crashes.
It is now impossible to change a role from the individual scope to the insider/outsider scope if it already has been assigned to members. In the UI it will show an error and via code it will throw an exception.
If you face this issue, you can follow these steps to resolve it:
- Check the query in
GroupRoleStorage::hasMembershipReferences()and run it without the count query to find out which memberships have the offending role(s) assigned. - Manually verify each of these memberships and figure out whether they can just lose the offending role(s) or whether further action needs to be taken
- Once you are sure the role(s) can be safely revoked, call
GroupRoleStorage::deleteMembershipReferences()on the offending roles
Known issue: It is still possible to programmatically add an insider/outsider role to a membership. That will be dealt with here: #3480110: Disallow the programmatic assignment of insider/outsider roles to members
Impacts:
Site builders, administrators, editors
Module developers
Site templates, recipes and distribution developers
