If you create a role with crud capabilities on a given content type, and then if a user has the role for a given group, he can change the audience to a cross-posted group for which he does not have membership. He can also change the audience to none (or public). I tested this in 1.5 and it correctly did a validation on the save of the content.

4.x however lets you set the group to whatever you want once you are able to bring up the content editing form.

Comments

itsnotme’s picture

Title: security issue in setting group audience » Cannot confirm security issue in setting group audience

crud?

I'm not the module container, but tried this with 4.0-dev in my project, and I cannot confirm this bug here. User with role x to edit content type xx can still only see his assigned group when he posts. My groups have the access setting "Visible only within the targeted groups.", if that may be an issue.

(The "public" setting is afais another bug, which I also have, but not due to this module.)

itsnotme’s picture

Title: Cannot confirm security issue in setting group audience » Security issue in setting group audience

Oops, sorry for accidentally changing the whole issue title :/ Changing back now.

riverfr0zen’s picture

subscribe

sun’s picture

Status: Active » Closed (won't fix)

According to #1, this bug report is bogus.