There seems to be two OG-related problems on my 4.6.0 site:

  1. Group subscription requests are going to all group members instead of just the group manager. Here's a copy of notification message (real names/email addresses obfuscated):

    From: webmaster@mymobilexchange.com
    [mailto:webmaster@mymobilexchange.com]
    Sent: Wednesday, April 27, 2005 8:37 AM
    To: Smith, John; firstname.lastname@mymobilexchange.net; Goliath, David; Barrymore, Drew; David, Larry; Markie, Mark; rad@mobiliq.com; Boy, Rich; Martin, Steve; Nugent, Ted; Thom, Tom; John, Wayne
    Subject: Subscription request for 'Powderstorm' from 'wannabee'

    You may approve or deny this request at http://www.MyMobileXchange.com/og/approve/1/9

  2. The following error is then generated whenever a group member clicks the Approve/Deny link :

    Fatal error: Duplicate entry '887e2535987f9eea7c4ab8b0071c3d7b' for key 1 query: INSERT INTO sessions (sid, uid, hostname, timestamp) VALUES ('887e2535987f9eea7c4ab8b0071c3d7b', 0, '67.92.64.91', 1114778895) in /...myhostpath.../includes/database.mysql.inc on line 66

This error may be related to the Notify module as well so I am also filing a bug report with the Notify project. Also, I am marking this as critical because the problem is undermining user confidence into the security and stability of the system.

Comments

samo’s picture

samo commented

Is the approval message going to all group members intended behavior? If not, I would be glad to submit a patch.

around line 418 is the relevant code:

$res = db_query($sql, $node->nid);
    while ($row = db_fetch_object($res)) {
      $admins[] = $row->mail ? $row->mail : NULL;
    }
moshe weitzman’s picture

moshe weitzman commented

it is a bug. the fix is not in the code segment you've shown. the SQL is incorrect. we need to select out only admins

samo’s picture

samo commented 
417c417,422
<     $sql = og_list_users_sql(1);
---
>
>     // prepend the owner of the group to the admins array
>     $manager = user_load($node->uid);
>     $admins[] = $manager->mail;
>
>     $sql = og_list_users_sql(1,1); // select users with grant_view = 1 and grant_update = 1
487,488c492,493
< function og_list_users_sql($min_grant = 1) {
<   return "SELECT u.uid, u.name, u.mail, u.picture, na.* FROM {node_access} na INNER JOIN {users} u ON na.gid = u.uid AND na.nid = %d WHERE u.status > 0 AND realm = 'og_uid' AND grant_view >= $min_grant ORDER BY u.name ASC";
---
> function og_list_users_sql($min_view = 1, $min_update = 0, $min_delete = 0) {
>   return "SELECT u.uid, u.name, u.mail, u.picture, na.* FROM {node_access} na INNER JOIN {users} u ON na.gid = u.uid AND na.nid = %d WHERE u.status > 0 AND realm = 'og_uid' AND grant_view >= $min_view AND grant_update >= $min_update AND grant_delete >= $min_delete ORDER BY u.name ASC";
moshe weitzman’s picture

moshe weitzman commented

a simpler fix is about to be committed - require that grant_update >= 1

moshe weitzman’s picture

moshe weitzman commented

your patch is better than my proposal. thanks much.

in the future, consider using unified diff (-u) and uploading a file instead of pasting in. these are conventions in drupal community.

samo’s picture

samo commented

Thanks for the diff tip. I also took a look at a pretty good Drupal page on diffs and patches. I will submit separate files in the future.

I don't think this issue is quite fixed yet though. Emails now get sent only to admins and not to the manager/owner of the group.

This problem also relates to the implode bug.

Anonymous’s picture

(not verified) commented