Hello,

I have the Registration Codes enabled, and even though I have "configure member roles" off (this is not a site admin user), the following checkbox still shows up:

"Set default basic group (group limited) role for users who join this group using this registration code?"

Also, right below that is an empty drop-down that says "Role to assign". Because it's empty, it gives an error at the top:

warning: Invalid argument supplied for foreach() in /home/site/public_html/dev/includes/form.inc on line 949.

I don't want to assign any roles with the codes. Is there a way to turn this off?

Thanks,
Andrey.

CommentFileSizeAuthor
#11 og_user_roles.module.5.x-3.2.patch3.79 KBsomebodysysop
#9 og_user_roles.module.5.x-3.2.patch780 bytessomebodysysop

Comments

somebodysysop’s picture

somebodysysop commented

What happens when you uncheck this box: "Set default basic group (group limited) role for users who join this group using this registration code?"

It only looks for a role to assign to registration code subscribers if this box is checked.

mr.andrey’s picture

mr.andrey commented

The box is unchecked and the roles drop-down still shows up.

I want to disable even the "Set default basic..." checkbox, as this won't be used at all on my site.

I can do it with form_alter, though it would be most awesome if it was tied in with the OGR settings page.

Best,
Andrey.

somebodysysop’s picture

somebodysysop commented

Then,you need to explain step by step what's going on because I can't figure out what you mean.

mr.andrey’s picture

mr.andrey commented

OK.

On the OGR configuration page, the only thing that is checked is this:

Allow Group Admins to set Registration Codes for users to join their moderated groups without admin approval?

On Access Control page, members have these permissions:

manage registration codes
use registration codes

When I edit my group as a member, I see this error on the top of the page:

warning: Invalid argument supplied for foreach() in /home/transfp6/public_html/dev/includes/form.inc on line 949.

And in the "Registration code for new subscribers to this group" fieldset, I see the following options (all unchecked/empty):

Set registration codes to allow users to join this group?
Delete registration code after it is used?
Registration codes for allowing users to subscribe to this group without admin approval:
Set default basic group (group limited) role for users who join this group using this registration code?
Role to assign:

There are a couple of problems here:
1. The error on the top of the page is due to an empty "Role to assign" drop-down.
2. I see the "Set default basic group (group limited) role..." option and the "Role to assign" drop-down, even though I have "configure member roles" disabled on the Access Control page.

I don't want to assign roles with codes, so how can I disable the last two options on the group edit page?

Set default basic group (group limited) role for users who join this group using this registration code?
Role to assign:

Please let me know if you need further clarification.

Best,
Andrey.

somebodysysop’s picture

somebodysysop commented

Thank you. Now I understand. I believe the answer to your question is to UNcheck this in OGR settings:

Allow Group Admins to set Registration Codes for users to join their moderated groups without admin approval?

That should solve the problem.

mr.andrey’s picture

mr.andrey commented

Hi @SomebodySysop,

I do want to use the registration codes, but I don't want to assign any special roles when I use the codes. I also don't want the error on the top of the page.

I want to have these options:

Set registration codes to allow users to join this group?
Delete registration code after it is used?
Registration codes for allowing users to subscribe to this group without admin approval:

But not these:

Set default basic group (group limited) role for users who join this group using this registration code?
Role to assign:

I thought that the "configure member roles" permission works with the reg codes fieldset, but I guess it doesn't.

Best,
Andrey.

somebodysysop’s picture

somebodysysop commented

I thought that the "configure member roles" permission works with the reg codes fieldset, but I guess it doesn't.

See OG User Roles: Registration Codes documentation at: http://drupal.org/node/217229

In Access Control, you must give the manage registration codes permission to all roles whose users will be able to determine if a group can use registration codes, and if so, will be able to enter the codes for a group. Note that these users will also need to have the "edit group content" permission as they will need to edit the group node to check on the Set registration codes to allow users to join this group? option.

There are a couple of problems here:
1. The error on the top of the page is due to an empty "Role to assign" drop-down.
2. I see the "Set default basic group (group limited) role..." option and the "Role to assign" drop-down, even though I have "configure member roles" disabled on the Access Control page.

OG User Roles, by defination, is designed to support group roles. If you do NOT check the Set default basic group (group limited) role for users who join this group using this registration code? none will be set for these types of users, however, the 'Role to assign' pulldown menu should be populated with at least ONE role.

So, I'm at a total loss as to why you'd be getting this error.

mr.andrey’s picture

mr.andrey commented

Hi @SomebodySysop,

Hmm.. I'm not sure we're understanding each other.

In Access Control, you must give the manage registration codes permission to all roles whose users will be able to determine if a group can use registration codes, and if so, will be able to enter the codes for a group. Note that these users will also need to have the "edit group content" permission as they will need to edit the group node to check on the Set registration codes to allow users to join this group? option.

I gave the "manage registration codes" and "edit group content" permissions in Access Control. I'm not sure what you mean by this quote.

The error disappears if I check at least one role under "Group role options" on the OGR page, because it populates the drop-down.

This module allows you to, for each group type, specify a list of roles
that group administrators are allowed to assign. In the subscriber list
(og/users/), a 'configure member roles' tab will appear if both
the group type is allowed to configure roles and the current user is an
admin for the group.

I guess the "configure member roles" permission doesn't extend to the regcode fieldset. To me it makes sense that if group admins can't "configure member roles" on the special page, they also will not be able to do so through the regcodes. It seems like a security flaw, as anyone with a regcode permission will be able to create a new user and assign themselves whatever role they need, even though they don't have the permission to "configure member roles". Does this make sense?

Let me know if you want me to clarify this more.

Best,
Andrey.

somebodysysop’s picture

somebodysysop commented
StatusFileSize
new og_user_roles.module.5.x-3.2.patch780 bytes

It's a huge application, so please forgive me if I just don't easily recall every detail.

I guess the "configure member roles" permission doesn't extend to the regcode fieldset. To me it makes sense that if group admins can't "configure member roles" on the special page, they also will not be able to do so through the regcodes. It seems like a security flaw, as anyone with a regcode permission will be able to create a new user and assign themselves whatever role they need, even though they don't have the permission to "configure member roles". Does this make sense?

Yes, this does make sense. Hadn't thought about it this way.

Your suggestion is to require both "configure member roles" AND "manage registration codes" permissions in order to use the "assign default role" option?

But, that would be true for all of the "assign role" options.

So, a better solution is not to throw the error.

Try the attached patch against the newest 3.1 release. Or, simply edit your existing release to add it. All it does is declares $roles as an array so that listing it doesn't throw the error.

mr.andrey’s picture

mr.andrey commented

Just updated to 3.1 and patched. The error goes away.

The potential security flaw of site admins asigning themselves whatever roles they want without having "configure member roles" permission remains.

I also noticed that there's a new "Logo" fieldset in 3.1. There doesn't seem to be a way to hide it. The group form is already complex, and I'm not planning to use logos. I can manually disable it through _form_alter, but inability to turn it off will probably turn some people off as well.

Andrey.

somebodysysop’s picture

somebodysysop commented
Assigned: Unassigned » somebodysysop
StatusFileSize
new og_user_roles.module.5.x-3.2.patch3.79 KB

The potential security flaw of site admins asigning themselves whatever roles they want without having "configure member roles" permission remains.

You know, I finally, finally see what you're talking about. You found a very serious flaw, and I thank you for staying with it until I finally saw the big picture. The attached patch should fix that problem. Again, it's for a clean 3.1 download.

I also noticed that there's a new "Logo" fieldset in 3.1. There doesn't seem to be a way to hide it. The group form is already complex, and I'm not planning to use logos. I can manually disable it through _form_alter, but inability to turn it off will probably turn some people off as well.

Here's one of those cases where I think this is a really cool feature, nothing happens if you don't put anything there, so, you know? You're right, the form is already complex, but being able to have your own group logo is just way too cool to me.

I guess somewhere down the line I'll take that configurable in the general settings (talk about too complex as it is!)

Anyway, thanks very much for the input. Trust me, it's needed, and appreciated.

mr.andrey’s picture

mr.andrey commented

Great! Thanks for taking the time to make it all work.

I just checked, and when the "configure member roles" permission is unchecked, the member role options disappear in the regcode fieldset. This is awesome.

No worries about the logo, and though I think it's a cool feature, we're not planning to use it, so it's super simple to disable it with _form_alter.

Andrey.

somebodysysop’s picture

somebodysysop commented
Status: Active » Fixed
Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.