I've got a role set up (call it "Contributor") that has site-wide permission to post content of all types (other than an OG "Group Node" content type). In OG, all but one of the content types are set to "may not be posted into a Group." I've assigned a Group-scope role of Contributor to a User. When that User is on a Group page, the "Create Content" link points to "http://www.example.com/node/ognodeadd?gids[]=18" which calls up a page listing as links all content types other than the OG "Group Node" content type. When this User clicks on one of the content types, it brings up the "create content" form for that content-type via a link that looks like this:

http://www.example.com/node/add/committee_post2?gids[]=18

("committee_post2" is a content type)

If the content type selected by the User from this screen is the one that is able to be posted to the Group for which the User has Group-scope Contributor role, then the audience checkbox appears for that group in the content creation form and allows the User to post the content to the Group. However, if the content type selected by the User is one of the content types that (per OG) "may not able to be posted into a Group," there is no audience checkbox and the resultant content node is not Group-specific or otherwise tied to the Group, and can be viewed by even an unregistered, unlogged-in user via standard link (such as "http://www.example.com/node/19"). This seems to be a permissions violation for a User that should not have site-wide create content permission.

Am I missing something in how OGUR constrains content creation permissions?

Is the only solution to this to only give to roles that are group-assignable, permissions to create content of types that may be posted to a group?

Thanks for any help.

Comments

somebodysysop’s picture

somebodysysop commented
Status: Active » Postponed

Is the only solution to this to only give to roles that are group-assignable, permissions to create content of types that may be posted to a group?

I would say yes for now. This is one of those things that needs a bit of figuring out. OGUR gives a user the permissions of a group role while in group context. This means that if a user can post content while in a group, you need to make sure that content is group limited if you don't want it public. You can make the argument that ogur should respect the "may not be posted into group" setting, but what about users who actually want group users with this permission to post content that "may not be posted into group"?

See the problem? So, your solution seems to be the best for now.

MikeBC’s picture

MikeBC commented

I understand: the OGUR role-based permission is site-wide in terms of its scope for the period the permission is active, but it is only active while the user is on or coming from a group page. Thanks for your response.

I think all of the logic elements that are necessary for this "loophole" to be closed are already in existence and available to the module, it's just a matter of adding the actual logic.

If I have time this weekend, I'm going to spend some time looking at the OGUR code and seeing if I can figure out how to kick up an 'access denied' to the user if (a) the user is trying to post a content type that is not group-postable and (b) the user only has group-based permission to post that content type. If the user has non-group-based (i.e. sitewide) permission to post that content type, then no error.

This will probably be just an exercise for my own benefit since I am new to Drupal and still learning how modules work but at least I will hopefully have a useful learning experience. If I do manage to come up with anything useful I will post here.

somebodysysop’s picture

somebodysysop commented

Thanks. That will be appreciated.

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Status: Postponed » Closed (won't fix)

After the rise of the rewritten OGUR 4.x for Drupal 6, in which many unrelated features of OGUR were removed, and nearing a release of Drupal 7, I'm closing down old issues.