og 7.x-2.x-dev from 2012-Sep-14
Non-group-member could post in a group using the create link block.

While being in a group where I'm not a member I still can see the create link block (using panels).
Using one of the shown create links will result in an URL like /node/add/news?og_group_ref=10&destination=node/10. Saving the form would result in a node news within the group with the nid 10. The reference field stays empty while creating the node. No error massage comes up.

Showing the create link block only to users with the appropriate rights isn't a solution as the user still could alter a URL to publish in group where he isn't a member.

The OG settings says that "Group manager full permissions" if off.
"Strict node access permissions" is ticked.
Non-Members have only rights to view the fields but are not allowed to do something.

Organic groups field access module is enabled.
Members which haven't created a group on their own will only the the title field while creating a node within a group they are not a member of. -> they have no field edit rights.

Comments

Project:Organic groups» Entityreference prepopulate
Version:7.x-2.x-dev» 7.x-1.x-dev
Component:og.module» Code
Status:Active» Fixed

Moved OG & er-prepopulate integration into the er-prepopulate itself.

even with the latest entityreference_prepopulate this isn't fixed. It's a security issue as the organic group access restrictions are not working. Registered users can publish in whatever group they want to post to without beeing a member.

Did you git pull?
Not security issue, as this is still in dev, without official release .

no, I used drush.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.