Just stumbled upon on issue in og_menu's code where filtering of menu items may not sort out all menus for which you should not have access rights for.
Look at this line:
strpos($key, $menu['menu_name']
Now consider a case where you have two separate og menus called 'menu-abc' and 'menu-abcd'. In this case the group admin of group 'abc' would also get 'menu-abcd' displayed.
Attached you'll find patches for both og_menu 6.x-1.3 und 6.x-1.x-dev created from within the og_menu directory.
I'd also like to mention that it also would make sense to use hook_form_alter() to alter the menu settings in node edit forms which might expose the whole menu structure and not just the subtrees of groups where a user has admin permission.
| Comment | File | Size | Author |
|---|---|---|---|
| og_menu-1.3.patch | 678 bytes | Anonymous (not verified) | |
| og_menu-dev.patch | 678 bytes | Anonymous (not verified) |
Comments
Comment #1
jide commentedClosing old 1.x issues.