Visibility Access issue and Domain Access [#1070046]

Hi Guys,

I would like to know if any of you people are having issue with limiting access for anonymous user.

I have created a content page and add this setting:
Groups audience:
Admin Office
Group content visibility:
Private - accessible only to group members

I tried to access this content as anonymous user and I can see this.

Another access issue is when I created a group and would like to make this group private, it still displayed in the group listing and anonymous user can see the contents.

Thank you.

Comments

Comment #1

HippoOnDiet CreditAttribution: HippoOnDiet commented 23 February 2011 at 06:18

Title:	Visibility Access issue with OG 7--1-0-85-g7690ea0	» OG 7--1-0-85-g7690ea0 Visibility Access issue and Domain Access
Issue tags:		+domain access

Sorry forgot to mention that this is in relation with Domain Access.

When I removed domain access module, OG access actually work.

I will give it a test again with Domain access and give some updates.

I have updated the title and tag Domain Access.

Update:
It seems like Domain Access overwrite OG access.
I tried to find out how to put a weight for D7 Modules, but I could not find any clues :(
One link I found is talking about hook_module_implements_alter, but I do not have enough knowledge to understand this.

so is there anyway we can make OG access control is higher than Domain access control?

Thank you again for this module :)

Comment #2

a.siebel CreditAttribution: a.siebel commented 5 April 2011 at 11:41

subscribe - Have the same problem.

Comment #3

amitaibu

Hebrew

Israel

CreditAttribution: amitaibu commented 5 April 2011 at 11:51

Title:	OG 7--1-0-85-g7690ea0 Visibility Access issue and Domain Access	» Visibility Access issue and Domain Access
Issue tags:	-domain access

I don't use domain access, so I won't work on this.

Comment #4

shadowmihai CreditAttribution: shadowmihai commented 24 April 2011 at 00:42

Priority:

Normal

» Major

I have this problem with Ubercart - with Ogranic Groups enabled, anonymous users can no longer access the ubercart catalog view uc_catalog - I had to uninstall OG 7 to make it work again. This seems to have to do with OG's node access or content access restrictions, but mucking about with those permissions within the OG permissions interface changed nothing...

It too me 5 hours to track this down... I am not a coder at all and cannot figure where or how to change this.

Since this issue has been traced to OG and it obviously affects the way content is accessed in potentially many other modules I have escalated this from "normal" to "major"

Comment #5

cartagena CreditAttribution: cartagena commented 24 April 2011 at 22:08

Comment #6

AndrzejG CreditAttribution: AndrzejG commented 25 April 2011 at 12:36

For D6, it is impossible to use Domain Access together with OG, because both applications rewrite node access rules. So, the rewrite is actual of the last enabled application, and conflicts with previously enabled.

I think the same is for D7.

Comment #7

m4olivei

he/him

English

Grimsby, ON

CreditAttribution: m4olivei commented 25 April 2011 at 19:35

I've run into this as well. It seems to come down to conflicting node grants provided by OG and DM. Domain access adds a very liberal 'view all nodes' node grant to the node_access table. It adds the grant in the function domain_set_default_grant() in domain.module:

/**
 * Ensure that the 'domain_all' grant is present.
 */
function domain_set_default_grant() {
  static $check = NULL;
  if (is_null($check)) {
    $check = (bool) db_query_range("SELECT 1 FROM {node_access} WHERE realm = :realm AND gid = :gid", 0, 1,
      array(
        ':realm' => 'domain_all',
        ':gid' => 0,
      )
    )->fetchField();
    if (empty($check)) {
      db_insert('node_access')
        ->fields(array(
            'nid' => 0,
            'gid' => 0,
            'realm' => 'domain_all',
            'grant_view' => 1,
            'grant_update' => 0,
            'grant_delete' => 0,
        ))
        ->execute();
    }
  }
}

As I understand it, this node grant effectively removes any access checks for viewing any nodes on your site. So even though OG private nodes insert a node grant to conditionally grant view access to a node based on group membership, because of the way node grants work it doesn't matter since DM grants view access to all nodes.

I'd love to get feedback from the author of DM to verify this is the case. I have had limited exposure to node grants, but am fairly confident that's how it works.

To summarize, if you want to restrict view access to some nodes (eg. OG private nodes), you can't use domain access.

Matt

Comment #8

m4olivei

he/him

English

Grimsby, ON

CreditAttribution: m4olivei commented 25 April 2011 at 19:42

Found this issue: #634932: OG Directory does not show all groups as it should, which is basically the same thing. DM author describes the issue well in comment #2.

Comment #9

Anticosti CreditAttribution: Anticosti commented 26 May 2011 at 18:10

Subscribing

Comment #10

Taxoman CreditAttribution: Taxoman commented 31 July 2011 at 14:56

It would be useful with a statement about the compatibility related to having more than one module that rewrites node access rules, and a list (table) of which modules currently does this, and if some or all of them are in conflict with each other.

That should ideally be a handbook page which the Readme.txt file AND the project page can link to with a short description.

Comment #11

AndrzejG CreditAttribution: AndrzejG commented 1 August 2011 at 14:06

+ for #10

Whom should we ask for that?

Comment #12

Encarte CreditAttribution: Encarte commented 14 December 2011 at 19:52

I've tested access modules since D5 and I can't remember two that worked together unless they're part of a bundle. The answer has always been: patch or quit. I can remember at least those ones, each incompatible with all the others:

- Organic groups (example: #1268068: Add option to always grant view access to users belonging to content's group audience)

- Domain access (example: #243731: Making TAC and OG Work Together)

- Workflow (example: #185641: workflow_access vs. taxonomy_access or #171882: Incompatibility between workflow_access and Taxonomy access control? or #207358: Organic Groups and Workflow Access visibility)

- TAC (example: #1046128: OG and TAC working on latest versions? or #1036232: Compatibility with Organic Groups public/private posting.)

- Content Access (example: #1306846: Not working, no content blocked or #764904: Content Access tool conflicts with Domain Access)

You'll find issues like this everywhere, all similar and generally tagged as Fixed or Won't fix or Support Request. You just won't find any solution besides patching away Drupal code...

Discussions generally regard the incompatibility of two contributed modules: I remember very few occasions of effort across different modules and core developers (like #286692: Improve Node Access system).