Posted by jgraham on May 29, 2007 at 8:59pm
Jump to:
| Project: | Content Type Administration by Organic Group |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | rconstantine |
| Status: | closed (fixed) |
Issue Summary
The og_content_type_admin doesn't bar users from adding content to a restricted group outside of the group. To explain further when adding content a user can check the box to add a piece of restricted content to a group they should not be allowed to.
Attached is a patch that addresses the user interface only. This does not do any checking of submitted data server side to ensure the user has not manipulated the URL or form data.
| Attachment | Size |
|---|---|
| og_content_type_admin.module_0.diff | 1.73 KB |
Comments
#1
I haven't reviewed your patch yet, but let me see if I understand the problem. Are you saying:
Given a user, U1, who is a member of groups GA and GB - and given that content type CT1 is allowed in GA, but not GB, that U1 can create a CT1 from within GA and then check the audience box for GB and it will be posted to both GA and GB? I guess that is a problem. I'll take a look at your UI fix, but I think I'll end up doing a check of the audiences and somehow rejecting the post to them. I'll return a message to the user stating which groups their message was not posted/allowed in.
Thanks for using this module. I hope to get to this fix in the coming week or two. Sorry I can't get to it sooner.
#2
Your description of the issue is right on --
The UI fix we implemented makes it so the user only has the option to post into groups where the group admin has allowed specific content types.
We did *NOT* address the issue of someone hacking the url to add the content type into a group where it's not allowed -- this is where:
will come in handy --
However, as the issue of someone hacking the url to bypass the UI fix is a pretty specialized use case, and would really only be tried by a PITA user who spends the time to study how urls work with placing content within groups :) The UI fix in this patch will be more than enough for the overwhelming majority of situations --
Thanks for taking a look at this -- this module brings some great additional functionality into OG.
Cheers,
Bill
#3
I should get to this Saturday or Monday. The few patches I need to make on this are at the top of my list.
And while I'm in there, I'm going to see if I need to do anything for compatibility with a new module I'm making that will allow multiple site membership types. [Normally, I'd use the words 'account types', but as I've already used that term in another module, I'm using 'membership types'.]
What this will do is put a dropdown on the registration page where the user chooses the kind of membership they want. Then, using the pageroute module, the user is presented with a series of forms, some required, some optional, that depend on the membership selected. This means that different user data can be collected depending on the membership type they choose. Optionally, you can assign users automatically to one of the 'account types' setup using my accounttypes module. I'm also looking at automatically assigning roles upon approval as well. I haven't been able to figure out a clean way to automatically assign individual permissions. The way they are stored implies to me that the whole list of permissions needs to be involved and I don't need that.
So while the pageroute module will be required (and also the nodeprofile module), and the accounttype module will be optional, I'm wondering if I need to do anything regarding this module. So far, I don't think so, but I do need to automatically place the content types from the pageroutes onto OG's do-not-use-in-groups list. Hmm. Anyway, I just thought that since you are interested in this module, which is a way to control users' actions, that you might be interested in a module that controls user creation.
I expect that you're already using your own patch, but expect an official update early next week.
And then I'll work on official updates to og_forum (I have CVS access now)!
#4
I finally got around to this. I liked your patch as it was for the UI. I'm still looking into the backend solution as well. I have one more thing to address for another issue and then I'll upload the changes. So look for a new dev version posted after today.
#5
#6
question: using 5.x.1.3 version with og_user_roles, og_subgroups, og_audience, acl, content_access. Your project page gave instructions to use the 5.x.1.3 version, not the latest dev version. I am having the same issue as in this topic, but I thought this was fixed in the current version I am using. I did not want to update if I did not need to, or if the problem lies elsewhere. I just wanted to get your feedback first.
thank you for the module, all the work is much appreciated.
-Jen