Starting with a clean installation of OG 7.x-2.2, I've altered Article content type to a group content. Enabling entityreference_prepopulate and giving 'create post content' permissions, but WITH 'Organic groups field access' module, non-members can not create any post at all, even with ?og_group_ref=X given, as readme suggests: node/add/post shows only a title textbox available.

Comments

grigorym’s picture

grigorym CreditAttribution: grigorym commented
Category: support » bug

As far as I can see, the problem here is similar to the one ezra-g is trying to solve with a patch here: http://drupal.org/node/1902086, only on a field level, not on the entity level.

The code in og_field_access module says:

  if (!$id && $op == 'edit' && (og_is_group($entity_type, $entity) || og_is_group_content_type($entity_type, $bundle))) {
    // This is create form of a non-saved entity, so we check
    // permissions to access the field, for all the groups the user is a
    // member.
    foreach (og_get_entity_groups() as $group_type => $gids) {
      foreach ($gids as $gid) {
        if (og_user_access($group_type, $gid, $perm)) {
          return TRUE;
        }
      }
    }

When the new entity is created, the code requests all the groups he belongs to, and checks if the user can edit the field in any of them. As with ezra-g's patch, the solution (though with scalability issues) could be to iterate not the groups the user belongs to, but the groups which allow him to edit the field (that is also those, friendly to non-members).

If I understand correctly, the problems with the current implementation could include:

Problem1: imagine the user is allowed to edit only fields A and B within member-group X, and only fields C and D within member-group Y. Then all the fields are shown, and both groups are available. Suppose the user fills all fields A, B, C, D and selects both groups. The checks on all fields permissions are performed ONLY when the form is created and shown to the user. When the user selects some groups, no more checks (beside og_group_ref) are performed. Thus it is possible, for instance, to upload an image to the group that does not allow it, taken that some other group you belong to, allows it. Isn't it a problem?

Problem2, my case, evidently: if the user is does not belong to any group, the cycle is empty, and no field is allowed to be shown, even with prepopulating og_group_ref=X. If we disable the module og_field_access, the post is allowed to be created, both bound (with proper permissions) and unbound. And that should be case with og_field_access enabled, I deem.

0. Peform field permission checks on creation, when all fields are filled. Use the intersection (not union!) of the permissions on the groups the user wants to assign content to.

1. When creating content, which should not necessarily belong to the group (og_group_ref field is not required), all the fields should be visible and editable (if it is not restricted on some other level). The list of the groups should include not only the groups user belongs to, but also the groups which allow non-members to create content.

How could it look like?

I'm clicking the "Add Post" link, all the fields are made visible, since the list of groups includes '-None-' (which allows me to create unbound Post without any restrictions), 'Group A' (which i belong to) and 'Group B' (which i do not belong to). I fill all the fields, and wonder which group to select.

a) If I select '-None-' and save, the content is created.
b) If I select 'Group B' and save, it might say something like 'sorry, we do not allow images in posts of non-members, though we allow posts of non-members'. You have the option either to edit your Post, or to post it to another group.
c) If I select 'Group A' and save, it might say something like 'sorry, we do not allow tags in posts, only group admins may set them'.

Does it make sense?

grigorym’s picture

grigorym CreditAttribution: grigorym commented
Issue summary: View changes

incorporated new knowledge