Every post is made public

I'm new to og, and I thought this was a bug also, but looking at the code in og.module, this is the default behaviour. You probably need to (a) delete a row from node_access table, and (b) edit og.module to change the behavious. See my comment elsewhere http://drupal.org/node/21133#comment-131920

this seems to be a duplicate of http://drupal.org/node/21133

my mistake. that last node was a forum topic. there was another dup which is now pointed here.

to summarize, there seem to be two issues:

1) anonymous users can browse to a group's home page even when the group is "private". i assume private in this context means that the "list in groups directory" option is not checked for that group.

2) anonymous users can browse to content on a group's homepage which has the "public" option (under groups) unchecked. presumably, content flagged in this way should only be visible to group members.

this is still an issue in // $Id: og.module,v 1.110.2.157 2006/12/12 02:56:34 weitzman Exp $

This might be a seperate issue, but on groups.drupal.org you can create a group - and _before_ it is approved others can join the group, post comments etc.

I didn't have time to look to closely, it happened by accident. A friend made a group - sent me the url, I joined and commented - then saw a banner at the top that read "The post has been submitted for moderation and won't be accessible until it has been approved." And I checked and sure enough - on the groups list the 'subscribe' link isn't there for that group and said friend told me it hadn't been approved yet.

Anyway, hope this helps.

Subscribing.
This bug exists in HEAD, too.

I am trying to figure out what is happenning....
I think looking at the {node_access} is relevant.
One node which should be private to a single og, has: realm = all, grant_view = 1. I guess it is not supposted to be this way...
But even if I manually update the DB so that realm = all and grant_view = 0, the node is visible.

I don't know enough that part of the code, so I am merely pocking around, to see what I can find...

Oh my god!
I was sure that I had enabled the Organic groups access control at /?q=admin/og/og, but checking back, I found it disabled.
Obviously, enabling it solved the problem.
I suspect that the people above forgot to do the same thing.

I close this issue: If anyone can confirm that they have enabled the Organic groups access control at /?q=admin/og/og and STILL experience the same problem, please post precise instruction on how to reproduce!

I don't know it's me, but when I disable access control in organic groups module, groups aren't visible to anonymous users. When I enable the module, group content is visible. I also installed content_access module and set that the group content type can only be viewed by authenticated users.