I spent a lot of time working with og.module today. I have come across and inconsistency, and I am not sure if it is by design. Here are the steps to reproduce the error.

  1. Install og and og_menu
  2. Set up content types for Group node and a node to post in the group as normal
  3. Set the permissions to allow authenticated users to "access content", "create page content" (or whichever node type you used), "delete own page content", "edit any group_node content", "edit any page content", "edit own group_node content", "edit own page content".
  4. Create two closed Group nodes, no editing of the members allowed.
  6. Put a non-administrator user in to one Group node members list but not the other.

The result is that the "Edit" menu is available on both Group nodes, event when the user is not a part of the Group. The "Menus" tab shows correctly. The benefit to setting it up like this is a member of a group can edit anyone's posts in that group like the permissions imply, but the problem is, it is still letting the nodes be edited in other groups. The block seems to work fine, but I believe that is because it is closed, not because of the permissions.

I have adapted the Menu permission code over to the og.module, here is the result:

/**
 * Implementation of hook_menu_alter().
 */
function og_menu_alter(&$menu) {
  // If og_access is disabled, we at least add back the edit tab for group admins to edit their posts.
  $menu['node/%node/edit']['access callback'] = 'og_menu_access_node_edit';
  $menu['node/%node/edit']['access arguments'] = array(1);
}

function og_menu_access_node_edit($node) {
  // Is the user a member and has access to editing nodes
  if (node_access('update', $node)) {
    if ($node && og_is_group_member($node)) {
	  return TRUE;
	}
    // Am I a group admin for this group post?
	else if (!module_exists('og_access') && isset($node->og_groups)) {
      foreach ($node->og_groups as $gid) {
        if (og_is_group_admin(node_load($gid))) {
          return TRUE;
        }
		// Does the user have access to a group the node is assigned to
	    else if ($gid && og_is_group_member($gid)) {
		  return TRUE;
		}
	  }
    }
  }

  // Am I group admin for this group node?
  if (!module_exists('og_access') && og_is_group_admin($node)) {
    return TRUE;
  }
  
  // Since the group admin tests failed, check access as usual.
  return FALSE;
}

Let me know what you think!

Comments

apaderno’s picture

apaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
CreditAttribution: apaderno as a volunteer commented
Version: 6.x-2.1 » 6.x-2.x-dev
Status: Active » Closed (outdated)
Issue tags: -node edit, -menu access, -permission problems

I am closing this issue, as Drupal 6 is now not supported.