When trying to validate if a user has access to a certain entity, I noticed you cannot get the target id inside the OgSelectionHandler class. The following code is at issue:

Lines 136-144 of includes/og.field.inc

        $ids = array();
        foreach ($dummy_entity->{$field_name}[$langcode] as $delta => $value) {
          $id = $value['target_id'];
          if (in_array($id, $other_groups_ids)) {
            $ids[] = $id;
          }
        }

Specifically, the $id is the target_id in the existing field, and it also is $other_groups_ids because the user is not a member of the group:

Line 73 of includes/og.field.inc

    $user_gids = og_get_entity_groups();

While this is great when we're enforcing member only groups, this fails for non-member access checks. (IE: create page content node access for non-members is set to TRUE).

I think some other piece of validation needs to be added here so those groups don't get removed from what the user has access to if they actually can post into those groups.

Comments

tanius’s picture

tanius CreditAttribution: tanius commented

It seems to me that this is a duplicate of #1902086: Allow group-audience widget to allow adding new content to groups a user doesn't belong to, but I am not totally sure. The currently proposed resolution in that issue is to develop your own, alternative selection handler (with the feature provided via #1865944: Allow implementing modules to change the My/Other groups selection). This is for example done by the Drupal Commons distribution, providing a "Commons OG" selection handler that does exactly what you want (allow selecting groups the user can post in, but is not a member of).

Plus, there is apparently one exception from this behaviour, namely allowing to select groups the user does not belong to via the entityreference_prepopulate module – see #1902086 comments #19, #23 and #24 and confirmed by the README at l. 111. (However, according to my own tests with OG 2.7, this seems broken now. I reported this as #2692525: Remove entityreference_prepopulate way to select group of which user is not member now.)