I'm testing Organic Groups with Workflow and it seems I came a cross a bug that turns this combination unusable. I wonder if anyone is using it.
The problem is: if you give node visibility permission to a role on the workflow access table, the users with that role will have access to all nodes with that workflow regardless of that node belonging to a private organic group where the user isn't a member. So, any role referenced in workflow can access all the group posts with that workflow.
To reproduce this, you just need to create a node type, give it a workflow and give node visibility access to a role on a state. Then mark this node type as «Standard group post (typically only author may edit)». Create a node of this type and you'll see that non-members will have access to it just as long as they have the role which was granted visibility access on that state by workflow.
Devel shows this:
| node | prio | status | realm | gid | view | update | delete | explained |
|---|---|---|---|---|---|---|---|---|
| 4 | 0 | ok | og_access: og_admin |
2 | 1′ | 1′ | 1′ | User1 may view, update, delete this node. Group admins of Group test may view/edit/delete this node. |
| 4 | 0 | ok | og_access: og_subscriber |
2 | 1 | 0 | User1 may view, update, delete this node. Members of Group test may view this node. |
|
| 4 | 0 | empty | workflow_access | 1 | 0 | 0 | 0 | User1 may view, update, delete this node. Workflow access: anonymous user may access |
| 4 | 0 | empty | workflow_access | 2 | 0 | 0 | 0 | User1 may view, update, delete this node. Workflow access: authenticated user may access |
| 4 | 0 | ok | workflow_access | 3 | 1′ | 1′ | 0 | User1 may view, update, delete this node. Workflow access: Admin role may access |
| 4 | 0 | empty | workflow_access | 4 | 0 | 0 | 0 | User1 may view, update, delete this node. Workflow access: Base role may access |
| 4 | 0 | ok | workflow_access | 5 | 1′ | 0 | 0 | User1 may view, update, delete this node. Workflow access: Workflow yes-role may access |
| 4 | 0 | empty | workflow_access | 6 | 0 | 0 | 0 | User 1 may view, update, delete this node. Workflow access: Workflow no-role may access |
| 4 | 0 | ok | workflow_access_owner | 6 | 1 | 0 | 0 | User1 may view, update, delete this node. Workflow access: author of the content may access |
| user name | create | view | update | delete |
|---|---|---|---|---|
| Anonymous | NO: access content | NO: access content | NO: access content | NO: access content |
| User1 | YES: administer nodes | YES: administer nodes | YES: administer nodes | YES: administer nodes |
| User test3 | YES: by the module | NO: node access | NO: node access | NO: node access |
| User test2 | YES: by the module | YES: {node_access} | NO: node access | NO: node access |
| User test1 | YES: by the module | YES: {node_access} | NO: node access | NO: node access |
| User with no group | YES: by the module | YES: {node_access} | NO: node access | NO: node access |
- user1 - site admin
- user test1 - group admin, has a role with workflow access
- user test2 - node author, member of the group, has author workflow access
- User with no group - doesn't belong to the group and still has access to the node, has a role with workflow access
Module Grants settings are «Interpret absence of access grants as a "don't care", rather than a "deny access".» and «Add a taxonomy Term column to the accessible content summary, if applicable.»
- Module Grants 6.x-3.x-dev (2011-Dec-18)
- Organic groups 6.x-2.2+3-dev (2012-Jan-19)
- Workflow 6.x-1.x-dev (2011-Feb-25)
Comments
Comment #1
rdeboerIn other words: OG permissions suck....
Comment #2
Encarte commentedYes, I feared that would be an inevitable technical conclusion...
But, would it be possible to go around it?
I imagine the main problem is Organic Groups not issuing zero values like Workflow does (OG seems to do that only for the Delete permissions), which means it is not denying access, instead it is just saying it doesn't care.
Module Grants has this option on the settings: «Interpret absence of access grants as a "don't care", rather than a "deny access".» I guess unchecking that option would shut the site down making inaccessible all nodes that aren't even related to Organic Groups and or Workflow. I guess it could bring new problems with other access modules too. But what about checking that option just for nodes related with the Organic Groups and only for Organic Groups permissions. Would that be science fiction?
Comment #3
rdeboerWon't fix this myself, if it's still a problem.
Patches welcome.
Rik
Comment #4
Manish commentedWondering, if there is any progress to solve the issue.
>> The problem is: if you give node visibility permission to a role on the workflow access table, the users with that role will have access to all nodes with that workflow regardless of that node belonging to a private organic group where the user isn't a member. So, any role referenced in workflow can access all the group posts with that workflow.
Thanks in advance,
Regards,
Manish