Realm missing after upgrade

Just some things that come to mind to double check and/or consider:

• Don't forget to run update.php. There are database changes to OGR and OG.
• Make sure og_access.module is installed and configured. If you used an older version of OG and upgraded, the og_access.module is NOT installed by default. Also note that in the new OG scheme, you must explicitly set your content types as "group posts".
• Taxonomy_Access Control (TAC) needs to be installed if you are going to turn on TAC/OG integration. You should set the default "Uncategorized nodes" View setting to checked.
• "TAC/OG" integration needs to be checked ON in OGR Settings. OGR node_access_records are NOT written unless this is on.
• Rebuild permissions in Admin->Content management->Post Settings.

That's all I can think of right now.

What you mentioned above sounds exactly like what has happened to me every time I've updated one of my sites to OG 5.7.2: I forget to install and configure the og_access.module. I forget every single time. And, if it is not installed and configured, everyone can see all of your groups and their content. Duh!

That's strange. If anything, you should see the ogr_access realm.

Do you see any ogr_access realm records in your node_access table?

How many records are in your multinode_access table?

When you access the Multinode Access UI, are you logged in as the super user (user 1) to make sure you have all access rights?

If you see ogr_access records in your node_access table, but not in your multinode_access table, my guess is that the patch is still not properly installed. If the realm is there, it should retrieve it -- period.

If you don't see ogr_access records in your node_access table, then it *sounds like* you either don't have TAC/OG Integration checked on or you didn't run the OGR update.php script. Or you have no nodes which have ogr_access permissions.

I guess you should start from the top:

What modules do you have and what is the access logic you are trying to implement?

Do you really need to implement TAC/OG Integration or Multinode Access?

Once I upgraded the OGR module, I lost the access settings.

Do you mean you lost access or access settings?

No response.

I'm having the same problem

Setup:
Drupal 5.7
Organic groups 5.x-7.2
OG User Roles 5.x-3.2
TAC 5.2.x (also tried TAC 5.1.1)

1/ Patch on node.module (all ok)
2/ Installed TAC (all nodes visible to everyone)
3/ Enabled TAC on /admin/og/og_user_roles
4/ /admin/og/og_user_roles/multinode only shows: all, og_admin, og_public, og_subscriber (same on /admin/content/multinode)
5/ add deny rights for role and taxonomy term
6/ enabled term_access in (/admin/og/og_user_roles/multinode) but post is still visible
7/ checked node_access table, but it only contains the three values listed in 4
8/ multinode_access contains 1 record term_access
9/ rebuild the permissions
10/ cleared the cache
11/ enabled Output debug data to og_user_test table?
12/ opened node that should be hidden
13/ og_user_test contains 6 rows (first row without group context?):

'2008-06-24 02:39:04 pm', '8', 'test', '60', 'og_user_roles_all_roles', '1', 'group context: ', '', '/index.php?q=leverancierinfo/prijs-test (http://example.com/group/client1)', 'node', '87', '', '', 'Roles Returned: (authenticated user,gGebruiker)'
'2008-06-24 02:39:04 pm', '8', 'test', '60', 'og_user_roles_all_roles', '0', 'group context: 60', '', '/index.php?q=leverancierinfo/prijs-test (http://example.com/group/client1)', 'node', '87', '', '', 'Roles Returned: (authenticated user,gGebruiker)'
'2008-06-24 02:39:04 pm', '8', 'test', '60', 'og_user_roles_all_roles', '0', 'group context: 60', '', '/index.php?q=leverancierinfo/prijs-test (http://example.com/group/client1)', 'node', '87', '', '', 'Roles Returned: (authenticated user,gGebruiker)'
'2008-06-24 02:39:04 pm', '8', 'test', '60', 'og_user_roles_all_roles', '0', 'group context: 60', '', '/index.php?q=leverancierinfo/prijs-test (http://example.com/group/client1)', 'node', '87', '', '', 'Roles Returned: (authenticated user,gGebruiker)'
'2008-06-24 02:39:04 pm', '8', 'test', '60', 'og_user_roles_all_roles', '0', 'group context: 60', '', '/index.php?q=leverancierinfo/prijs-test (http://example.com/group/client1)', 'node', '87', '', '', 'Roles Returned: (authenticated user,gGebruiker)'
'2008-06-24 02:39:05 pm', '8', 'test', '60', 'og_user_roles_all_roles', '0', 'group context: 60', '', '/index.php?q=leverancierinfo/prijs-test (http://example.com/group/client1)', 'node', '87', '', '', 'Roles Returned: (authenticated user,gGebruiker)'

Other combinations tried
- only og_subscriber shows group post but doesn't hide to secret node
- only og_public doesn't show any nodes, same for og_admin
- adding ogr_access to multinode_access table but it doesn't even show in /admin/content/multinode? and no nodes are visible at all

to be continued ...

I enabled devel module for all users and my limited user doesn't see anything at all, another user still sees all he has to see. One strange thing I see for the limited user is the following query that contains 'ogr_access' (while opening the group's homepage)

SELECT COUNT(*) FROM node_access WHERE (nid = 0 OR nid = 60) AND (((realm = 'all' AND gid = 0) OR (realm = 'ogr_access' AND gid = 35) OR (realm = 'og_public' AND gid = 0)) AND nid IN (SELECT nid FROM node_access WHERE ((realm = 'og_subscriber' AND gid = 60) OR (realm = 'og_subscriber' AND gid = 0) OR (realm = 'og_subscriber' AND gid = 0))) AND nid IN (SELECT nid FROM node_access WHERE ((realm = 'term_access' AND gid = 2) OR (realm = 'term_access' AND gid = 9) OR (realm = 'term_access' AND gid = 1) OR (realm = 'term_access' AND gid = 0))) ) AND grant_view >= 1

og_user_test still has the same entries
node_access still has the same entries

multinode_access contains

'og_subscriber', 'ogr', 'AND', '0', 0, ''
'term_access', 'tac', 'AND', '1', 0, ''

Reopened because of same problem (i think)

Some more background info:
I want to be able to hide posts from a certain content type in all groups depending on the (site-wide) role the user has, the idea is that the staff needs to be able to add private nodes to any group.

I added a new taxonomy to a new content type and added some terms to control the visibility, i denied the regular user role all rights to these terms, the default is set to Ignore

If you need more info let me know

I'm having the same problem

You've supplied a lot of information, thanks. But, I'll be darned if I can figure out what your problem is.

One thing I see wrong is that your multinode_access contains
'og_subscriber', 'ogr', 'AND', '0', 0, ''
'term_access', 'tac', 'AND', '1', 0, ''

Do you mean "ogr_access", "ogr"?

Because, "og_subscriber" should NOT be ANDed or ORed.

I want to be able to hide posts from a certain content type in all groups depending on the (site-wide) role the user has, the idea is that the staff needs to be able to add private nodes to any group.

I would recommend using Content Access and Access Control List (ACL) for this functionality.

I added a new taxonomy to a new content type and added some terms to control the visibility, i denied the regular user role all rights to these terms, the default is set to Ignore

Yes, OK, but you still haven't explained the problem.

I'll try and go over some common problems:

1. Did you enable og_access.module on OG upgrade?
2. Are all content types used enabled for OG?
3. You applied multinode_access patch. Please replace node.module with clean 5.7 unpatched version of node.module and re-apply updated patch here: http://drupal.org/node/196922#comment-885841
4. When you upgraded or installed Drupal 5.7, did you apply the Clear the Cache patch and turn on that setting?: http://drupal.org/node/177948
5. Enabled TAC/OG Integration in OGR Settings? (double-check)
6. TAC permissions should have "View" permission for "Uncategorized nodes" checked for ALL roles. This, by default, should create "term_access" records.

@edvanleeuwen, sounds like it's fixed for you.

I have a site which has public articles and articles specifically for certain groups (e.g. club members, honourary members, members of the press, and friends). For each of these groups I would like to restrict access to articles/nodes and have only those group members notified. I have not seen any other solution than to do this by using OGR (or CiviCRM). Am I right?

Sounds like basic OG functionality. Content can be public or group-only. If group-only, only members of the group can access.

If you wish to control which members of a particular group can access what content within the group, you have two options that I am aware of:

1. OG User Roles you already know. Using TAC/OG integration, you can create hierarchies of access levels within individual groups. You can have one set of roles and vocabulary with access control implemented on a per-group basis.

2. OG Vocabulary: http://drupal.org/project/og_vocab. This allows you to create vocabularies which are specific to groups. But, you must create a separate set of vocabularies for each individual group.

I don't know CiviCRM so I'm not qualified to say what it can or cannot do.

Some replies
1/ og_access.module is active
2/ content type is set to standard group post
3/ reapplied new patch
4/ clear the cache is on and double checked the patch
5/ double checked, it's on
6/ on admin/user/taxonomy_access/edit/2 i have one line global - default with allow in view column and checks for create / list

Result
User sees all post even those not in his group

Changes
on /admin/og/og_user_roles/multinode I enabled content_access_rid with group ogr (is this ok?), i disabled all other checkboxes, so I only have content_access_rid in multinode_access table
on each content type i gave authenticated users view access except on the secret one, where view is only given to a specified role.

No the limited user doesn't see the secret node, but he still sees all other nodes (including the ones in other groups)

What am I missing?

Do you mean "ogr_access", "ogr"?

I never saw nor see ogr_access in the multinode_access table (SELECT * FROM multinode_access m;) or in the node_access table (SELECT distinct realm FROM node_access n;)

I assume it should be there somewhere?

Fixed (i think)

on admin/user/taxonomy_access/edit/2 i have one line global - default with allow in view column and checks for create / list, so i changed the A to I and unchecked the 2 others and everything looks ok.

the limited user only sees post in his group
the limited user doesn't see the secret content type

the normal user sees all posts in the group

I still don't know what the problem was.

If you're trying to get TAC/OG integration working, and you've turned on TAC/OG in OGR settings, this is what your Multinode Access UI screen should look like:

http://drupal.org/files/OGRConfigureMultinodeUI.jpg

If you are also running Content Access and ACL, you should follow these instructions:

http://groups.drupal.org/node/5392

If your setup is working exactly fine now, leave it alone.

One final question, where's the ogr_access coming from (where is it defined)?

I kind of followed the instructions in 5392 the first time i set it up, but it didn't work :/ hence my posts in here

BTW: great module

ogr_access realm consists of grants granted by the OG User Roles module. However, these grants are not provided unless TAC/OG Integration is turned on (because they involve TAC permissions as well). These grants allow us to let users see content they have access to outside of group context.

They are not, however, critical.

You will only see them if:

a. TAC/OG Integration is turned on.
b. You have defined users with OG roles.
c. You have defined content that these OG roles will have access to.

too bad I have the same issue :(

I mean: "no ogr_access" on a brand new drupal, installed 2 days ago (not upgraded, last recommended versions).

I installed, re-installed, reset to default everything I could, deleted content and users, even dropped multinode table, updated all possible og modules (re-installed table).

Since it's a brand new Drupal install with few testing users and content, I had (a) but not (b) and (c).
No user, no posts, no group: "all", "og_public" and "term_access"

When I created a user and a group (no post, no other user), I only have "all" "og_public", "og_admin" and "term_access".
After I created another user, another group, a post and joined second user to first group, I also have "og_subscriber"
I also created a forum and a postand nothing changed.

but no "ogr_access" so far ...

Would you please test with a fresh drupal install and confirm?
If it's confirmed, what exactly creates the ogr_access?
Why do I have og_ and not ogr_ for other realms?

Thanks :)

active?

post #23 was just to activate, I thought activation was automatic with a new post on a closed discussion.

a. TAC/OG Integration is turned on.
b. You have defined users with OG roles.
c. You have defined content that these OG roles will have access to.

Oops. I'm sorry, but I forgot:

d. Said content is associated with a vocabulary.

Here's the code that creates the ogr grants in hook_node_access_records:.

	// This creates all ogr grants
    
    $where = "WHERE ta.rid = ogr.rid AND n.nid = ".$node->nid;
    $result = db_query("SELECT n.nid, ta.rid, ogr.ogr_id, BIT_OR(ta.grant_view) AS grant_view, BIT_OR(ta.grant_update) AS grant_update, BIT_OR(ta.grant_delete) AS grant_delete FROM {term_node} n INNER JOIN {term_access} ta ON n.tid = ta.tid INNER JOIN {og_ancestry} oa ON n.nid = oa.nid INNER JOIN {og_users_roles} ogr ON oa.group_nid = ogr.gid $where GROUP BY n.nid, ta.rid");
    
    while($row = db_fetch_object($result)) {
      if ($row) {
        $grant_view = ($row->grant_view == 1) ? 1 : 0;
        $grant_update = ($row->grant_update == 1) ? 1 : 0;
        $grant_delete = ($row->grant_delete == 1) ? 1 : 0;

        $grants[] = array(
          'realm' => 'ogr_access',
           'gid' => $row->ogr_id,
           'grant_view' => $grant_view,
           'grant_update' => $grant_update,
           'grant_delete' => $grant_delete,
          'priority' => 0,
        );
      }
    }

As you can see, if there's nothing in term_node and term_access for the node, then no ogr_access record is written.

Added some commentary here to try and explain how this works: http://drupal.org/node/281197

I realize I forgot to thank you for your beautiful code gem.
It's cement between 2 important bricks.
Thanks a lot for your quick reply too!

... but I'm certainly missing something somewhere.

I have 240 term_access records in node_access like:
Full Texts nid gid realm grant_view grant_update grant_delete
Edit Delete 1 1 term_access 1 0 0

I think, what would be the best is a low level tutorial (no table name, just plain existing menu navigation) from a fresh new Drupal install.
I'm sure it will help in adoption and growing community around it.

My 2 cents contribution:
If you're on a shared hosting (no CLI access, so not possible to "patch -p0" on the server), simply download the file locally in the same folder as the patch, patch it (patch -p0) and re-upload the patched version (from a Mac or Linux, I don't know from Windows).

Good idea on the tutorial. Will get there, but gotta figure out why your realms aren't showing up.

You have term_access records, but are any of those terms associated with OG group nodes?

Have you rebuilt permissions? Admin->Post Settings->Rebuild Permissions

I assume that the ogr_access realms aren't showing up in the Multinode User Interface. But, when you query the node_access table, do you see them? If you do see them there, then this is a permissions issue.

In short, this is what I believe needs to happen to get ogr_access. We assume OG, TAC and OGR are installed. Multinode_access.patch is installed. You also have group roles defined in OGR settings. Make sure og_access.module is installed.

1. Turn on TAC/OG Integration in OGR settings.
2. Set up Multinode Access logic using UI
3. Create Vocabulary and assign it to content type that will be used in group. Make sure content type is checked as "standard group post".
4. Use Taxonomy Access Control Permissions to define what roles can access terms. This will create "term_access" records.
5. Create OG group(s).
6. Add user(s) to the group(s).
7. Use "Configure member roles" to place user(s) into group roles. This will create "ogr_id" records in "og_users_roles" table.
8. Create node(s) within the group(s). Make sure the node(s) is "standard group post" content type(s). This will create the "og_ancestry" records.

When permissions are built, OGR will look for ogr_id records associated with a node through term_access and og_ancestry, and if found will create an ogr_access record for the node.

term_node (matches node) -> term_access (matches node to term) -> og_ancestry (matches node to group) -> og_users_roles (matches node to term within the group)

If we identify an ogr_id that associates a particular node with a particular term within a particular group, we write an ogr_access realm record into the node_access table for it, and give it the gid = ogr_id. With this ogr_access record, we know what OG content a user can access without having to be in group context.

That, theoretically, is how it's supposed to work.

Ok,
I finally get ogr_access.
Looks like combined changes AND new post creation made the trick.

I checked ogr_access every time I changed a parameter in setup (but I didn't add a new post after each change).
When I added a post after MANY changes, ogr_access appeared.
Therefore I cannot say exactly which change made it :(

For the record, what changes did you make?

May be I wasn't clear in my last post sorry, I meant I "checked after every changes", but I didn't made any custom change out of normal install:

I added-updated-removed-re-added taxonomy vocabulary, changed users TAC, changed users permissions, activated-deactivated OG-TAC, cleared caches, rebuilt permissions, re-patched file(s), checked patches.
Nothing exotic, just going back to install guide.

I don't remember the order, but basically nothing changed after each and all steps on the admin side ... until I created a couple of users, groups, hidden and visible posts via user interface. Basic issue after all.

BTW, I think the problem is on my side, since your wonderful code does exactly what it's supposed to do now ... at least I think so :)

I'm really sorry to re-open this issue again, but I just need to make sure I understand this right (because I can't see the ogr_access realm either):

To be able to have TAC hook in to OG posts, the current user needs to be assigned to a role within that group? This wasn't the case in earlier versions of this module, I belive. Earlier versions honored the system wide role within OG to.

Scenario: A site for a company with many sub divisions (OG's). Every user is assigned a system wide role, which limits (with TAC) what the user can access (outside of OG). There's also posts within every OG that needs the same access rules, so the user's system wide role should be honored within OG as well. This can't be done without assigning each user an OG Role as well as a system wide role?

Many thanks for your work with this module!

I'm not trying to be a jerk about it, but this issue was difficult enough. I'd rather not re-open it. What you describe is really a different question. Please submit a new issue.

See updated documentation on ogr_access realm here: http://drupal.org/node/281197