og 7.x-2.x-dev from 2012-Sep-14
Non-group-member could post in a group using the create link block.
While being in a group where I'm not a member I still can see the create link block (using panels).
Using one of the shown create links will result in an URL like /node/add/news?og_group_ref=10&destination=node/10. Saving the form would result in a node news within the group with the nid 10. The reference field stays empty while creating the node. No error massage comes up.
Showing the create link block only to users with the appropriate rights isn't a solution as the user still could alter a URL to publish in group where he isn't a member.
The OG settings says that "Group manager full permissions" if off.
"Strict node access permissions" is ticked.
Non-Members have only rights to view the fields but are not allowed to do something.
Organic groups field access module is enabled.
Members which haven't created a group on their own will only the the title field while creating a node within a group they are not a member of. -> they have no field edit rights.