I can't figure out how this is supposed to work. I'm using Organic Groups 6.x-2.1 with OG workflow 6.x-1.0 and Workflow 6.x-1.5 modules.

I have a workflow with 3 states (draft, reviewed, published). The published state is viewable to anonymous and authenticated users (because the workflow is used for many non-OG posts as well).

I have two private Organic groups set up: NY and CA. I have a content type called "News" that has the above workflow assigned to it and it is a "standard group post". When I create a "News" content item and assign the audience as NY, members in the CA group can still see it. Is this because in the workflow settings authenticated users are allowed to access posts? I would hope that OG would supercede workflow in this case. I was thinking that's what this module was for.

(For reference, I have cloned the same site and instead of OG Workflow tried Module grants, which works in all cases except when non-OG posts have workflows assigned to them, OG members cannot see any of the posts)

Please advise if I am mistaken or what I may be doing wrong :)

Comments

cpliakas’s picture

Title: Explain how this works? » Unwanted access granted to nodes when OG's access is more restrictive than Workflow
Component: Documentation » Code
Category: support » bug
Priority: Normal » Critical

nektir,

It is just supposed to work with no configuration, you are not doing anything wrong :-). I think I see the issue here. This module simply adds an AND condition to the access query ensuring that the Workflow module's access controls are explicitly required. The assumption is that Workflow's access settings are always more restrictive, however this isn't the case in your scenario. The module should ensure that BOTH access control settings for Workflow and OG are honored so that it doesn't matter which one is more restrictive.

Thanks for posting,
Chris

Encarte’s picture

I have a bug report on Module Grants that resembles this one and, although related to different modules, I think maybe the other one has useful information for this one: #1419954: Workflow and Organic Groups.

You can see on the Devel output that Workflow writes «1» or «0» values to give or deny «View» permissions on the node, while Organic Groups only writes «1» values. So, even with the «AND» logic, I would guess a Workflow «1» permission would always apply because there is no «0» Organic Permission to be the «AND» counterpart. Would that be the cause of the problem?

Tim-Erwin’s picture

Status: Active » Closed (won't fix)