Access conflicts for edit and delete operations with modules that implement node grants

Further, it looks like hook_og_user_access_alter only fires if the user is a group member. I'm using Content Access, which includes an "Edit Any [node type]" grant, but the problem described in this issue prevents this from functioning if the node is assigned to a group and there's no way to use the og api to alter the access if the user is not a member of the group.

OK - I was wrong about this, the hooks are firing for non-members. Not sure why my tests using dpm() calls weren't outputting messages before. I can write code for the business logic of my use case. Still clearly a problem for non-coders.

Hi there,

I am having the same issue. I am actually building a hierarchy of groups, where I want to give some admin from a "parent" group, full editing power on all "children"groups, even if they are not members of the "children" groups.

As described by cpliakas, the main issue is that in og_node_access, in some circumstances, the function would return a NODE_ACCESS_DENY. From what I understand, as soon as this is done, the game is over, and no other method of granting access (such as through hook_node_grants) will be evaluated.

This is a serious issue that make it difficult for custom modules to grant/deny extra permisions on group.

Instead of returning NODE_ACCESS_DENY, the function should return NODE_ACCESS_IGNORE, and doing so delegating the issue of deciding whethr to grant/deny access to another module. By default, if no module specifically grant access to the group type, then the user will be denied access (so the default behavior is the same as having a NODE_ACCESS_DENY). On the other hand, this change would allows custom module developers to define their own precise node access behavior through node_access_grants & co.

I can provide a patch if needed (simply replace all NODE_ACCESS_DENY by NODE_ACCESS_IGNORE in og_node_access).

Cheers,

Sylvain