When you have a block of "my groups" that requires a "more" link, this link goes to og/user, but it always gives an "access denied" message.

I commented out the following code from line 866 in the og_list_groups_page function:

  if ($uid != NULL && arg(2) != 'opml' && !is_int($uid)) {
    drupal_access_denied();
  }

and this worked for the admin account (user 1) but gave mysql errors for a regular authenticated user. I'm not sure what the problem is, please help?

cheers
alynner

CommentFileSizeAuthor
#12 og_user_groups2.patch2.31 KBgeodaniel
#11 og_user_groups_retry.patch978 bytesgeodaniel
#5 og_user_groups.patch917 bytesgeodaniel

Comments

alynner’s picture

alynner commented

I think that if you change :

  if ($uid != NULL && arg(2) != 'opml' && !is_int($uid)) { //
    drupal_access_denied();
  }

to:

  if ($uid == NULL && arg(2) != 'opml' && !is_int($uid)) { //
    drupal_access_denied();
  }

it should work, I just get many mysql errors for users that aren't in any groups as follows:

user warning: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1 query: SELECT COUNT(*) FROM og og INNER JOIN node n ON og.nid = n.nid INNER JOIN node_revisions r ON r.vid = n.vid INNER JOIN users u ON n.uid = u.uid INNER JOIN og_uid ou ON ou.uid = u.uid INNER JOIN node_access na ON na.nid = og.nid WHERE (na.grant_view >= 1 AND ((na.gid = 0 AND na.realm = 'all') OR (na.gid = 0 AND na.realm = 'og_public') OR (na.gid = 0 AND na.realm = 'og_all'))) AND og.nid IN () in /home/domain/public_html/includes/database.mysql.inc on line 120.

Which I think is coming from line 892:

$cnt = db_num_rows(db_query(og_list_users_sql(), $node->nid));

so there needs to be a check somewhere to see if the user is in any groups at all.

Patrick Nelson’s picture

Patrick Nelson commented

alynner,

I'm getting the same SQL errors as you when visitors are not in any groups. Are you saying that your change fixes that?

alynner’s picture

alynner commented

no this isn't a fix for that, this is a fix for the "more" link. Line 892 from the above post is where the problem is, I think if you put an if statement in there it would probably fix it:

if ($node->nid > 0) $cnt = db_num_rows(db_query(og_list_users_sql(), $node->nid));

I don't actually use this block myself, I was helping someone else out, so please try it out and let me know if this works for you.

-alynner

misty3’s picture

misty3 commented

Hi Alynner,

Thanks a lot always and more
for taking out time to try to solve this problem.
Does the OG developers know of this situation yet ?
How are other OG users or socialnetworking sites tackling this ?

The above two alterations actually *reverses* the situation.
I am trying with 4.7.5 ( same with 4.7.6 and 4.7.4 )

Reverses means : now 'more' link does show normally a list of
groups I am subscribed too but the link to main og page ...?q=/og
for me or any legit user gives `access denied`

Could some one just test this ? It takes very little time infact.
If tested we know the results are reproducible.

One notable thing I find is that - completely removing
`if ($uid != NULL && arg(2) != 'opml' && !is_int($uid))`
can apprently solve the situation. However, it is NOT
clear whether it hampers any of the regular functioning of
the script or OG members. Probably this clarity can come from
OG coders themselves or if someone kindly tests out the stuff.

I have got know SQL errors but will like to know how to get them
i.e reproduce them so that similar situation can be prevented.

Best regards

geodaniel’s picture

geodaniel commented
Assigned: Unassigned » geodaniel
Status: Active » Needs review
StatusFileSize
new og_user_groups.patch917 bytes

I'm having issues with this as well, but I don't think simply commenting out the drupal_access_denied() message is the answer.

We just need to add another check to that if statement. I've attached a patch to do this, and I think it works, though it's not fully tested as I can't replicate the og menu appearing when anon users access og/user/x or og/manage/x (the reason that little check is in there in the first place).

geodaniel’s picture

geodaniel commented
Title: og/user access denied » Access denied for all users on 'My Groups' page (og/user)
alynner’s picture

alynner commented

but I didn't comment out the access denied message, I changed $uid != NULL to $uid == NULL and it worked for me. I think its a typo and it should be ==.

-alynner

alynner’s picture

alynner commented

sorry I think I have that backwards - I changed line 866 from

if ($uid == NULL && arg(2) != 'opml' && !is_int($uid)) {

to

if ($uid != NULL && arg(2) != 'opml' && !is_int($uid)) {

and it works EXCEPT that it doesn't at all do what its supposed to do which is make access_denied for og/manage for anon users, so this probably shouldn't be used. I also tried geodaniel's patch and it has the same effect as this change.

geodaniel’s picture

geodaniel commented
Status: Needs review » Needs work

Sorry alynner, I misread what you'd written originally. I'll have another look at this and see if we can figure out a solution that gives the desired effect.

geodaniel’s picture

geodaniel commented

Hmm, I hadn't noticed this before but it doesn't actually give a proper Access Denied page either... scroll down and you'll see most of the proper page underneath it.

geodaniel’s picture

geodaniel commented
Assigned: geodaniel » Unassigned
Status: Needs work » Needs review
StatusFileSize
new og_user_groups_retry.patch978 bytes

Just for reference, this change to the code was introduced back in #83484 - the check was introduced to stop anon users getting the SQL errors that alynner mentioned in #1 above.

So, I've updated the patch... Does this one have the desired effects? It now only gives the access denied on og/manage/x, not og/user/x as I seem to get one there anyway without changing anything. Plus it returns drupal_access_denied() which stops a deformed page being loaded after the content from just printing the access denied message.

Because of this change we now run into MySQL errors if an auth user is in no groups and visits og/user - but I think this is a separate issue.

There is also other weirdness on the og/user page. When OG's access control is disabled, the groups are replicated numerous times in that list. When the access control is enabled, the right number of groups show up but the pager still thinks there are many more groups in the list and so shows links to pages 2, 3, etc. which are actually just empty.

geodaniel’s picture

geodaniel commented
Title: Access denied for all users on 'My Groups' page (og/user) » Access denied for all users on 'My Groups' page (og/user) + other issues
Assigned: Unassigned » geodaniel
StatusFileSize
new og_user_groups2.patch2.31 KB

This updated patch also deals with the MySQL errors if a user isn't a member of any groups and stops the strange duplication/empty pager behaviour.

geodaniel’s picture

geodaniel commented

alynner, misty3, Patrick: anyone interested in trying the latest patch out to see if it fixes the issue?

misty3’s picture

misty3 commented

sure, will try this and post the results here/

geodaniel’s picture

geodaniel commented

thanks, much appreciated! :)

nathanraft’s picture

nathanraft commented

This works for group pages created with CCK but not the OG_basic type.

Thus works just fine as there is little reason to use og_basic.

Thanks!

moshe weitzman’s picture

moshe weitzman commented
Status: Needs review » Closed (won't fix)

apparently noone cares since this got no recent reviews ... no more work for 4.7