OG User Roles: Clearing the Cache

We found that there are some modules which will return "Access denied" message even when OG User Roles returns permissions which allow the user access. This is due to cached permissions being used instead of the group permissions.

Also, if your basic "OG Roles aren't working", please note the following:
It appears that the Drupal caching mechanism is used much more stringently as a result of either 5.7 core or OG 5.x-7.x. Assuming OGUR has been installed correctly, this may result in group roles you've assigned to group users not being respected when they should (i.e., when they are in group context). In this case, the solution is to implement the "Clear the Cache" setting in OGUR: http://drupal.org/node/263944

OG User Roles has a setting: "Clear the Cache". If you click this on, then the permissions cached in "user_access" will be reset. In addition, the "cache_menu" table record for the user will be deleted. This has the total effect of refreshing the permissions for a user with any new permissions allowed by group roles (set, of course, in OGR).

Patch required in 5.x. In order to use the "Clear the Cache" setting in Drupal 5.x, you must install the og_user_roles.user_.module.5.3.patch to the user.module: http://drupal.org/node/170524. This patch is included in the OG User Roles distribution: http://drupal.org/node/178874. This patch has been added to Drupal 6.x core http://drupal.org/node/176342.

We initially discovered this in resolving the "File Upload" issue: http://drupal.org/node/166566. However, it appears that many other issues have been fixed using this solution. We have found, since this fix was implemented, that it appears to solve many other problems:

• Content Type Administration: http://drupal.org/node/177866
• Incompatibility with blocks' "Role specific visibility settings": http://drupal.org/node/174970
• ogusermanage and oguseredit: http://drupal.org/node/176662
• user_access within a group home page not working: http://drupal.org/node/167180

Module weighting: alternative to resolve role/permission problem

We just found what I think is a slightly different problem, which is that user_access has a static PHP cache within it (so only on a per-request basis).

The first call to user_access in a request will determine for the whole of the rest of the request what user_access' static permission store declares for that user. After that, even if you change a user's roles, the database is never revisited to see what change those roles might make.

That means that if module X implements hook_init, and inside that hook it calls user_access, AND module X is weighted above OG User Roles (or weighted the same, but randomly gets called first), then OG User Roles is barred from upgrading the user's static $perm, and effectively from upgrading their roles, for the rest of the request.

Solution: weight OG User Roles so that it's run first. In MySQL, find out the most negative weight in the roles table:

SELECT min(weight) FROM system WHERE type = 'module';

Then set an even more negative weight for the OG User Roles module:

UPDATE system SET weight = -20 WHERE type = 'module' AND name = 'og_user_roles';