I have all of the OG global permissions under Organic groups UI under Add User unchecked. However, group admin can still add a user under the Group tab (....group/node/34/admin/people/add-user). This is the default setting and all my groups are using these default permissions.

Attached is photo of my permissions.

Please advise! :)

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

bulldozer2003’s picture

Category: bug » support

If the group "admin" role has the "administer group" permission, they are automatically given every permission, whether or not they are enabled. You can remove the administer group permission and then give the role individual permissions as they needed.

ALSO

Look at OG settings (admin/config/group/settings), is "Group manager full permissions" checked? If so, then the group admin (usually whoever created the group) will also be given every permission.

djween’s picture

bulldozer2003, thanks for the reply. I tried several items but issues are still present...

Case I
---------
--admin/config/group/settings > Group manager full permissions unchecked
--admin/config/group/permissions > administrator member has permission to (i) edit group and administer group and (ii) pretty much everything else on that page is checked for administrator member.
--admin/people/permissions > node > I tried 2 scenarios here, once with selecting administer content and administer content types and once without selecting those for the site role that gets assigned to the OG administer member role.

Result: OG administrator member cannot edit his group or group content at all.

Case II
---------
--admin/config/group/settings > Group manager full permissions checked
--admin/config/group/permissions > no matter the settings here the results are the same...
--admin/people/permissions > node > administer content and administer content types are not selected for the site role that gets assigned to the OG administer member role.

Result: OG administrator member can edit his group or group content but there is no granular control... for example to disallow admin member from adding a new user.

The issue still exists in that it is not allowing granular OG control for the admin member.

bulldozer2003’s picture

Take away the "administer group" group role permission.

That permission only does one thing: treat the user as if they have ALL group role permissions.

djween’s picture

@bulldozer2003 hmmm, I tried that again as per your suggestion but no luck. It is basically what I did in case scenario II above in post #2. Is it possible this is a defect? Are you able to get granular for your group admin user?

You want to get on a Webex with me so I can show you? haha

bulldozer2003’s picture

I just checked it out myself and everything seemed to be working properly. As long as you've checked all the OG global permissions, the user is not uid 0, and both administer group and add user are unchecked, the add-user and people pages should be blocked out.

Since a user without add-people nor administer group has nothing to do on the group admin pages, you should likely uncheck "use the administration pages" as well.

djween’s picture

I am still seeing the issue:

--I am logging in as the creator of the group (which is not UID 0)
--as per image attached to this comment I have 'administer group' unchecked (I also tried it with 'Edit group' unchecked as well).
--second screen shows the user still has access to all the items on the group tab.

Since a user without add-people nor administer group has nothing to do on the group admin pages, you should likely uncheck "use the administration pages" as well.

--I am looking to remove 'Add people' functionality but still want to maintain 'People' functionality in groups tab. (I don't want group manager to be able to add whomever he wants -- rather only people that apply).

djween’s picture

Images attached here for comment above!

bulldozer2003’s picture

Version: 7.x-1.3 » 7.x-1.x-dev
Status: Active » Needs review
FileSize
532 bytes

Looking through the source code, approve and deny subscription isn't actually used anywhere :-/

The people page requires the administer group permission to view because you may remove users and change user group roles there.

The attached patch changes the people page to look at the approve and deny subscription permission. See if it does what you want with the above caveats.

ifish’s picture

Having same issue, I'd only like to have permission for "People" not "Add People".

Thanks in advance.

djween’s picture

#8 @bulldozer2003

Thanks for the patch but I do not see where to apply that. My og_ui.module code looks as follows...

function og_ui_menu() {
  $items = array();
  $items['group/%/%/subscribe'] = array(
    'type' => MENU_CALLBACK,
    'file' => 'og_ui.pages.inc',
    'page callback' => 'og_ui_subscribe',
    'page arguments' => array(1, 2),
    // Function will take care of permissions, as we want to show "you are
    // already a member of the group" to group members, however it is not
    // possible to give authenticated group members the "subscribe" permissions.
    'access callback' => 'user_is_logged_in',

    // We don't add the group name, as it might be private.
    'title' => 'Join group'
  );

Also, does the patch help fix the permissions issues:
--correlate "Add user" permission in OG global permissions to the "Add people" link on the group tab?
--correlate "Approve and deny subscription" to the "People" link on the group tab?

As of now those permissions do not seem to correlate to anything.

bulldozer2003’s picture

The add user link is already correlated to the add people permission. The link will still appear on the group tab but clicking on it results in an access denied message.

Below is the section of code the patch addresses, the access argument has been changed from administer group to approve and deny subscription.

og_ui.module:
 48   // User listing pages.
 49   $items['group/%/%/admin/people'] = array(
 50     'title arguments' => array('People in group @group', 1, 2),
 51     'title callback' => 'og_ui_menu_title_callback',
 52     'description' => 'Find and manage group members.',
 53     'page callback' => 'drupal_get_form',
 54     'page arguments' => array('og_ui_user_admin_account', 1, 2),
 55     'access callback' => 'og_user_access_by_entity',
 56     'access arguments' => array('approve and deny subscription', 1, 2),
 57     'weight' => -4,
 58     'file' => 'og_ui.admin.inc',
 59   );
djween’s picture

I must be missing something. In OG global permissions (admin/config/group/permissions):

I have 'Administer group' unchecked for all roles
and
I also have 'Add user' unchecked for all roles.

Yet, logged in as a group admin (not as UID 0), I can freely go in and get to the '/group/node/17/admin/people/add-user' page and also actually add a user.

(and my group is using the default permissions).

bulldozer2003’s picture

Is that "group admin" the group manager? And is 'group manager full permissions' checked in admin/config/group/settings?

djween’s picture

Is that "group admin" the group manager?

The user is under the OG "administrator member" role.

And is 'group manager full permissions' checked in admin/config/group/settings

Yes, it was checked.

When I test 'group manager full permissions' by unchecking it, the user has no admin permissions even if in admin/config/group/permissions the following are checked:
'Administer group'
'Edit group'
'Approve and deny subscription'
'Add user'

amitaibu’s picture

Status: Needs review » Fixed

Committed, thanks.

djween’s picture

Status: Fixed » Active

I would like to reopen. Patch doesn't address this submitted issue but rather another issue found as a result of this post's issue.

bulldozer2003’s picture

@djween I see the problem. In 7.x-2.x there is a "use the group administration pages" permission. That permission was not in 7.x-1.x and you needed administer group to view the group tab. I will work on a patch here to backport that feature.

bulldozer2003’s picture

Status: Active » Needs review
FileSize
1.39 KB

@Amitaibu I don't see that patch in the commit logs, the attached patch INCLUDES #8.

This patch changes the people page access to the approve deny permission and adds the use admin pages permission (backport from 7.x-2.x).

@djween Give your admin role the new user admin pages permission and the group tab will show up now :-)

amitaibu’s picture

> @Amitaibu I don't see that patch in the commit logs,

Sorry, git push didn't work properly. Anyway, it was pushed earlier. Can you please re-roll patch.

bulldozer2003’s picture

This patch adds the "Use the administration pages" permission, backporting it from 7.x-2.x.

amitaibu’s picture

Status: Needs review » Fixed

Committed, thanks.

djween’s picture

> @djween Give your admin role the new user admin pages permission and the group tab will show up now :-)

@bulldozer2003 That was not the issue -- group admin tab has been showing up fine. Issue is that some permissions (in particular those in the Organic groups UI section) on admin/config/group/permissions are not taking hold.

See attached screenshot for what I have unchecked:
--Approve and deny subscription
--Add user
--Use the administration pages

Yet, user has access to all of those.

Could this be a weights issue? However, I am not sure what would be able to affect these specific settings.

djween’s picture

Version: 7.x-1.x-dev » 7.x-1.3
djween’s picture

Status: Fixed » Active
bulldozer2003’s picture

Either "administer group" and/or they're the group manager with "group manager full permissions" checked. Can you screen shot the whole permissions page (take out the * content perms if desired) and the OG settings page?

Also, are you logged in with uid 1?

djween’s picture

FileSize
251.93 KB
18.38 KB

@bulldozer2003 I understand what you are saying but it is not working.
Attached are additional screengrabs as per your request and comments on the screengrabs.

bulldozer2003’s picture

Your note about what happens with the "group manager full permissions" setting is abnormal. When I was writing the patches I was testing all of these settings on a clean install with the 7.x-1.x branch. I tested the "group manager full permissions" both on and off and also tried with all the various other permissions on and off.

I know I used 7.x-1.x could you try 7.x-1.3 and possibly 7.x-1.x on a test install?

Also, after patching, did you run the update script and have you cleared caches?

djween’s picture

I am working with 7.x-1.3. Is that what you validated against?
I am open to doing a quick Webex if you are willing.

I have patched, cleared cache numerous times, rebuilt permissions, logged in and out, tested different users, reconfigured perms to try different configurations.

These are all the access modules I am using btw...
----------------------------------------------------------------
Content Access 7.x-1.2-beta1
Organic groups field access 7.x-1.3
Organic groups access control 7.x-1.3
OG create permissions 7.x-1.0

bulldozer2003’s picture

I tested 7.x-1.x, can you please create a fresh install with only OG and see if you have the same problems. Try with 7.x-1.3 and 7.x-1.x.

Maybe the maintainer can be convinced to upgrade 7.x-1.x stable if you find 1.3 is the problem. That is where my patches have been going too.

KorbenDallas’s picture

bulldozer2003, I'm running 7.x-1.x and patch #20 doesn't work for me. The group admin user gets "access denied". Please help if you can

djween’s picture

#29 @bulldozer2003 Because of my setup here it is not feasible for me to do a fresh install for this extra testing. Currently I am only able to help test with my current configuration.