During working with "Organic groups" (7.x-2.0) and "Organic Groups Workflow Access" modules I found bug with node access-control. Looks like "Organic Groups Workflow Access" don't care about what group is checked for access.
For example:
There 2 content types which are groups (lets call them "Type 1" and "Type 2").
And there are 2 nodes of each type (lets call them "Group 1" and "Group
There is workflow with state "Published". This state is configured so that only members can of "Group 1" and/or members of "Group 2" can view nodes with such state (i.e. checkboxes (from group "Group roles who can view posts in this state") "Group 1 – member" and "Group 2 - member" are cheked).
"Group 2" has group content node ("Group node 1"). And this "Group node 1" is setted as "private" and is with state "Published".
Some user is member only of "Group 1". And this user should have access to "Group node 1" because it is private and he/she isn't member of "Group 2", but this user can view it.

CommentFileSizeAuthor
#3 og_workflow_access-2070787-3.patch3.23 KBfedia.io1
#2 og_workflow_access-2070787-2.patch3.06 KBfedia.io1

Comments

fedia.io1’s picture

fedia.io1 commented
Status: Active » Needs review

I've corrected og_workflow_access_node_grants and og_workflow_access_node_access_records function to fix this issue.

fedia.io1’s picture

fedia.io1 commented
StatusFileSize
new og_workflow_access-2070787-2.patch3.06 KB

Hmm...
One more try to attach patch.

fedia.io1’s picture

fedia.io1 commented
StatusFileSize
new og_workflow_access-2070787-3.patch3.23 KB

Corrected patch because previous patch #2 causes PDOException on saving og workflow access settings.

Tim-Erwin’s picture

Tim-Erwin commented
Assigned: Unassigned » Tim-Erwin

fedia.io1,

thanks a lot for fixing this issue. I'll have a look at your patch soon and will integrate as appropriate.

Tim-Erwin’s picture

Tim-Erwin commented

This makes a whole lot of sense, committed (with a minor change: I find it more logical to assign roles as grand ids to group realms than the other way round).

Although one question remains:
In og_workflow_access_node_grants() you iterate over the entity types, but in og_workflow_access_node_access_records() you assume 'node' as type. Doesn't that cause any difficulties?

  • Commit da47f67 on master, 7.x-2.x authored by fedia.io1, committed by Tim-Erwin: 
    #2070787: make access records specific to groups and their types
Tim-Erwin’s picture

Tim-Erwin commented
Issue summary: View changes
Status: Needs review » Closed (fixed)