og_group_manager_full_access is too powerful - and is probably hiding issues in the admin permissions

I have now tracked this down to an empty og_users_roles table.

og_roles seem to be tied directly to the UI module. The only place I can see them assigned is via og_ui_user_multiple_role_edit.

Should the admin role not be assigned to the group owner ? Maybe it's easiest to assign this in the same way that the AUTHENTICATED and ANONYMOUS roles are assigned in og_get_user_roles. If we go the database route, we have to keep track of changes in the uid, and know which roles were assigned automatically and which were assigned manually. Perhaps OWNER and ADMIN are different roles ?

I don't think roles should be tied to UI.

Ok, I can work with it. It might need to be explained somewhere, but I suppose it's not that far off from the UID=1 and an Admin role.

I will see if I can contribute an OWNER role module.

Well. I have spent years (literally) removing public facing UI from OG sites. Now that this is in a seperate module, I am very happy... however, it would still be handy as a site admin to use some of the functionality provided by the UI module.

I disable the "og_group_manager_full_access" setting, but this means that the group managers now don't even have access to edit the group node. I need to give them back permissions to edit that, and therefore need to assign them a role.

If I want to have the group owner be an admin, but also want to keep my options open to assign multiple admins, I am concerned that there might be a few bits of twisted logic involved.

If I automatically assign the admin role to the node author, what happens if the author changes ? Do I then remove the role from the old admin and assign it to the new one ? What if I want to keep the old owner as an admin too ?

Creating a role that separates OWNER and ADMIN, means I don't have to worry about overlapping assignments, there is always one owner - and admin is something else if it needs to be.

How about a user_roles_alter hook ?

It wouldn't really help for og_get_users_by_roles, but may help for special roles similar to authenticated and anonymous.

I have written this module to get around things.

on the Rules hint...I have written some rules stuff, but have not yet bitten the bullet and built the OG integration. My experience with rules in it's current state has been frustrating, but I am already using it to assign a system level group owner role.

Hope to get there soon..

I can close this, there is no real need to change how things work now.