As a group manager (owner), I can make one or more subscribers as the administrator of the group.

But what can a group administrator do? I tried logging as the group administrator, the user seems to behave just like a regular subscriber. I thought the user would be able to add susbribers, approve registration, etc. But it doesn't seem to be the case.

Am I missing something?

Comments

rjl’s picture

rjl commented

I was wondering the same thing...

Once I enabled 'Access Control' (in the first section in the OG settings page), then administrators could edit nodes - not the actual group node - but nodes in the group.

I was also hoping that administrators could also edit the group node and the functionality mentioned above (add subscribers, etc, send mail, etc.)

rjl’s picture

rjl commented

After looking at the og.module code (I know I should have done this before my post above)...

It appears that access to a number of these administrative functionalities is defined using the node_access() function: node_access('update', $node) as in the following

function og_menu
drupal hook for menu items
node_access() required for menu items for 'Add Subscribers', 'E-mail' to be visible
function og_approve
provides approving subscribers
without node_access() user is denied
function og_deny
provides denying subscribers
without node_access() user is denied
function og_admin_create
provides adding administrator status to subscriber
without node_access() user is denied
function og_delete_admin
provides removing administrator status from subscriber
without node_access() user is denied
function og_invite_page
provides functionality for inviting subscribers
without node_access() user is denied
function og_subscribe
provides functionality for subscribing to group
node_access() is required to subscribe other users
function og_unsubscribe
provides functionality for unsubscribing to group
node_access() is required to unsubscribe other users
function og_list_users_page
outputs the subsribers list page
node_access() is required for the 'options' column to be displayed
function og_og_create_links
not sure exactly what this function does - but node_access() is checked within

The node_access() function is complex.

The function allows users with 'update' permission on the (group) node to perform these functionalities. The 'update' permission is checked for in several places to see if the user has the permission.

With OG setttings: Access Control = Enabled...
(note I could be way off base with this part)

1. It appears the OG module adds the extra permissions to the node_access table for the node types that are children of the (group) node. This then gives (group) 'administrators' the ability to edit child nodes of the (group).

2. The OG module does not appear to add extra permissions to the node_access table for the (group) node. Permission seems to be limited to users with 'edit own (group) content' or 'edit (group) content' access. This would deny a (group) 'administrator' permissions unless he/she was the author of the (group) node (assuming he/she has 'edit/own' access).

I guess there is a big question that needs to be answered (and has probably been answered before, I'm not sure where though). What additional permissions should an 'administrator' have?
1. Add/Remove subscribers
2. E-mail subsribers
3. Add/Remove 'administrator' status to subscribers
4. Edit/Delete child nodes of the (group)
5. Edit/Delete the (group) node
I would imagine that each person would have a different answer to the question depending on their particular site.

Personally, I am not concerned about the last two items regarding nodes. I would like to have options for the first three items regarding subscribers. The rest of my comments are only in regards to those subscriber related permissions.

One easy fix would be to say that 'administrators' have those permissions. The change in the module's code would be fairly simple:
all instances of 

node_access('update', $node)

would be changed to

(node_access('update', $node) || $user->og_groups[$node->nid]['is_admin'])

each function would also need to be checked to see that it included the current user object, as in:

global $user;

Another fix, more complicated, but more flexible, would be to provide variables (defined on the OG settings page) for what an 'administrator' can do.

I see 5 variables for providing a fair amount of flexibility and not too much overhead:
- Add Subscribers - var: 'og_admins_add_subscribers'
- Remove Subscribers - var: 'og_admins_add_subscribers'
- Email Subscribers - var: 'og_admins_add_subscribers'
- Promote Subscribers To Administrator - var: 'og_admins_add_subscribers'
- Demote Administrators to Subscribers - var: 'og_admins_add_subscribers'

Add this code to the og_admin_settings function

  // administrators section
  $form['og_settings']['administrator'] = array('#type' => 'fieldset', '#title' => t('Group Administrators'), '#collapsible' => TRUE, '#collapsed' => TRUE);
  // options for all items are Yes/No
  $options = array(1 => t('Yes'), 0 => t('No'));
  // can group administrators add subscribers?
  $form['og_settings']['administrator']['og_admins_add_subscribers'] = array('#type' => 'radios', '#title' => t('Add Subscribers'), '#default_value' => variable_get('og_admins_add_subscribers', 1), '#description' =>t('Can subscribers promoted to Administrator status add other users as subscribers of the group?'), '#options' => $options);
  // can group administrators remove subscribers?
  $form['og_settings']['administrator']['og_admins_remove_subscribers'] = array('#type' => 'radios', '#title' => t('Remove Subscribers'), '#default_value' => variable_get('og_admins_remove_subscribers', 1), '#description' =>t('Can subscribers promoted to Administrator status remove subscribers from the group?'), '#options' => $options);
  // can group administrators email subscribers?
  $form['og_settings']['administrator']['og_admins_email_subscribers'] = array('#type' => 'radios', '#title' => t('Email Subscribers'), '#default_value' => variable_get('og_admins_email_subscribers', 1), '#description' =>t('Can subscribers promoted to Administrator status email subscribers in the group?'), '#options' => $options);
  // can group administrators promote subscribers to admin?
  $form['og_settings']['administrator']['og_admins_promote_subscribers'] = array('#type' => 'radios', '#title' => t('Promote Subscriber to Administrator'), '#default_value' => variable_get('og_admins_promote_subscribers', 1), '#description' =>t('Can subscribers promoted to Administrator status promote other subscribers to Administrator status?'), '#options' => $options);
  // can group administrators demote subscribers from admin?
  $form['og_settings']['administrator']['og_admins_demote_subscribers'] = array('#type' => 'radios', '#title' => t('Demote Administrator to Subscriber'), '#default_value' => variable_get('og_admins_demote_subscribers', 1), '#description' =>t('Can subscribers promoted to Administrator status demote other Administrators to subcriber status?'), '#options' => $options);

then all instances of 

node_access('update', $node)

would be changed to

(node_access('update', $node) || (variable_get('og_admins_*****_subscribers', 1) && $user->og_groups[$node->nid]['is_admin']))

where ***** would be the appropriate variable for the appropriate functionality
each function would also need to be checked to see that it also included the current user object (as above)
Examples:
function og_approve would check the variable: 'og_admins_add_subscribers'
function og_deny would check the variable: 'og_admins_remove_subscribers'
etc...

One issue would be the subscribers list provided by
function og_list_users_page: this function provides the 'options' column for subscribers and provide links to all the functionalities except emailing.

in the funtion, the line 

$access = node_access('update', $node);

would be changed to a general admin check
and specific admin permission checks would need to be added

$access = (node_access('update', $node) || $user->og_groups[$gid]['is_admin']);
$access_add = (node_access('update', $node) || (variable_get('og_admins_add_subscribers', 1) && $user->og_groups[$gid]['is_admin']));
$access_remove = (node_access('update', $node) || (variable_get('og_admins_remove_subscribers', 1) && $user->og_groups[$gid]['is_admin']));
$access_promote = (node_access('update', $node) || (variable_get('og_admins_promote_subscribers', 1) && $user->og_groups[$gid]['is_admin']));
$access_demote = (node_access('update', $node) || (variable_get('og_admins_demote_subscribers', 1) && $user->og_groups[$gid]['is_admin']));

then this section of the function which provides the links to the various specific functions

if ($access) {
  if ($account->is_active) {
    $rows[$i][] = l(t('unsubscribe'), "og/unsubscribe/$gid/$account->uid", array(), "destination=og/users/$gid");
    if ($account->is_admin) {
      $rows[$i][] = l(t('admin: remove'), "og/delete_admin/$gid/$account->uid", array(), 'destination='. $_GET['q']);
    }
    else {
      $rows[$i][] = l(t('admin: create'), "og/create_admin/$gid/$account->uid", array(), 'destination='. $_GET['q']);
    }
  }
  else {
    $rows[$i][] = l(t('approve'), "og/approve/$gid/$account->uid", array(), "destination=og/users/$gid");
    $rows[$i][] = l(t('deny'), "og/deny/$gid/$account->uid", array(), "destination=og/users/$gid");
  }
}

would need to change to this which includes the checks for the specific functionalities

if ($access) {
  if ($account->is_active) {
    $rows[$i][] = $access_remove ? l(t('unsubscribe'), "og/unsubscribe/$gid/$account->uid", array(), "destination=og/users/$gid") : ' ';
    if ($account->is_admin) {
      $rows[$i][] = $access_demote ? l(t('admin: remove'), "og/delete_admin/$gid/$account->uid", array(), 'destination='. $_GET['q']) : ' ';
    }
    else {
      $rows[$i][] = $access_promote ? l(t('admin: create'), "og/create_admin/$gid/$account->uid", array(), 'destination='. $_GET['q']) : ' ';
    }
  }
  else {
    $rows[$i][] = $access_add ? l(t('approve'), "og/approve/$gid/$account->uid", array(), "destination=og/users/$gid") : 'pending';
    $rows[$i][] = $access_remove ? l(t('deny'), "og/deny/$gid/$account->uid", array(), "destination=og/users/$gid") : 'pending';
  }
}

These are just some thoughts and ideas I had. Sorry I'm very good at making patch files or I would have done so. The code is working, but should be tested of course.

moshe weitzman’s picture

moshe weitzman commented
Title: OG Group Administrator not working? » OG Group Administrator not working
Version: 5.x-2.2 » master
Category: support » bug
Priority: Normal » Critical

indeed, this seems to have become broken a long time ago. i will likely fix this by putting group nodes into the node-acces ssystem and giving an update grant to group admins. this is related to the private groups issue, so it might be little while before i fix it. not too long though. i recognize that it is a critical bug.

yched’s picture

yched commented

+1 for a fix when you, er, have some time ?

moshe weitzman’s picture

moshe weitzman commented
Status: Active » Fixed

fixed in HEAD and D5. a release forthcoming soon ...

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)
dgtlmoon’s picture

dgtlmoon commented
Status: Closed (fixed) » Postponed (maintainer needs more info)

I'm still seeing this issue as part of the release http://drupal.org/node/302406 (5.x 8.x-dev)

As a user, i can create an og group, however i cannot edit that group once it is created, even tho i am the nodes owner

Do I need to enable og_access ?

kkrgopalan’s picture

kkrgopalan commented

subscribe - facing a similar problem

ianchan’s picture

ianchan commented

subscribe

moshe weitzman’s picture

moshe weitzman commented
Status: Postponed (maintainer needs more info) » Fixed

#7 - yes.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.