afaik it's impossible to assign anonymous users to organic groups, however this function, called by og_access_node_grants() (and hence on any node page via node_access()) queries the og_uid table with uid = 0. Attached patch checks for !$uid and returns an empty array early.

CommentFileSizeAuthor
og_get_subscriptions.patch595 bytescatch

Comments

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented
Status: Needs review » Fixed

Committed, thanks.

amitaibu’s picture

amitaibu
Primary language Hebrew
Location Israel
commented

@catch,

btw, where is this function called from for anonymous user -- we should probably prevent it from being called.

catch’s picture

catch
he/him
Primary language English
commented

Thanks!

This is the code in question. Agreed it makes sense not to call it at all here, but I'm not very familiar with the og code base so checking directly in the function itself seemed like it'd case any other cases too.

function og_access_node_grants($account, $op) {
  if ($op == 'view') {
    $grants['og_public'][] = 0; // everyone can see a public node
  }

  // Subscribers get an admin or non-admin grant for each subscription
  if ($subscriptions = og_get_subscriptions($account->uid)) {

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.