Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.og 7.x-2.x-dev from 2012-Sep-14
Non-group-member could post in a group using the create link block.
While being in a group where I'm not a member I still can see the create link block (using panels).
Using one of the shown create links will result in an URL like /node/add/news?og_group_ref=10&destination=node/10. Saving the form would result in a node news within the group with the nid 10. The reference field stays empty while creating the node. No error massage comes up.
Showing the create link block only to users with the appropriate rights isn't a solution as the user still could alter a URL to publish in group where he isn't a member.
The OG settings says that "Group manager full permissions" if off.
"Strict node access permissions" is ticked.
Non-Members have only rights to view the fields but are not allowed to do something.
Organic groups field access module is enabled.
Members which haven't created a group on their own will only the the title field while creating a node within a group they are not a member of. -> they have no field edit rights.
Comments
Comment #1
amitaibuMoved OG & er-prepopulate integration into the er-prepopulate itself.
Comment #2
Nchase CreditAttribution: Nchase commentedeven with the latest entityreference_prepopulate this isn't fixed. It's a security issue as the organic group access restrictions are not working. Registered users can publish in whatever group they want to post to without beeing a member.
Comment #3
amitaibuDid you git pull?
Not security issue, as this is still in dev, without official release .
Comment #4
Nchase CreditAttribution: Nchase commentedno, I used drush.