Shouldn't the og_is_node_admin() function actually check for admins, not just the group manager. In other words shouldn't the existing function:

/*
 * Determine whether user can act as a group administrator for a given group.
 */
function og_is_node_admin($node) {
  return node_access('update', $node);
}

be changed to:

/*
 * Determine whether user can act as a group administrator for a given group.
 */
function og_is_node_admin($node) {
  global $user;
  $admin = db_result(db_query('SELECT is_admin FROM {og_uid} WHERE uid=%d AND nid= %d', $user->uid, $node->nid));
  return $admin || node_access('update', $node);
}

Comments

pbarnett’s picture

pbarnett commented

Possibly better written as

/*
* Determine whether user can act as a group administrator for a given group.
*/
function og_is_node_admin($node) {
  global $user;
  
  if (node_access('update', $node)) return true;

  return db_result(db_query('SELECT is_admin FROM {og_uid} WHERE uid=%d AND nid= %d', $user->uid, $node->nid));
}

to eliminate the superfluous db query when node_access is true anyway.

Pete.

moshe weitzman’s picture

moshe weitzman commented

do you have og_access module disabled? thats what gives group admins update power on the group node. requires some investigation. this may require further changes.

scedwar’s picture

scedwar commented

We hadn't, as we aren't currently using any private groups functionality - however I now see that this function actually controls a lot more.

I've just enabled this and it appears to fix it. Maybe this function should still be changed or overridden with something like "og_is_group_admin" that performs the check even if og_access is disabled?

FWIW we are using the Domain module and so didn't enable this as it saved making the patch to core for multiple node_access.

moshe weitzman’s picture

moshe weitzman commented
Title: og_is_node_admin() bug » og_is_node_admin() assumes og_access is enabled
Version: 5.x-7.3 » 6.x-1.0-rc4

will be backported as well

scedwar’s picture

scedwar commented

I should also add, two points:

1) we are actually 5.x-6.1 of og (although this function appears unchanged in recent versions).

2) adding the code I suggested above seems to have a MAJOR effect of allowing any group admin permissions to edit any node published into that group. This is highly desirable (even though unintended!) for our site but may be an unwanted side-effect of this change. We have been trying to find time to test the newer versions of og with the wiki style functionality so our view of this functionality is a few months behind the og releases.

moshe weitzman’s picture

moshe weitzman commented
Status: Needs review » Fixed

committed a different fix. i'd love for folks to do some testing with the dev snapshots for D5 and D6. I will make releases once i hear some positive reports.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.