Answer nodes shouldn't display audience selection form [#2063289]

On a live site I've noticed that answers posted to questions in a private group are visible to non-members in the 'recent site activity' stream and the answer itself is also visible. I think that anyone 'liking' the answer also appears in the site activity stream to non-members.

Note that the questions themselves show 'access denied' message correctly.

I've just updated to all of the latest modules which I thought might be relevant, but problem still persists, namely:

commons groups 7.x-3.3
organic groups 7.x-2.3
commons activity streams 7.x-3.3
message notify 7.x-2.5
message subscribe 7.x-1.0-alpha5
commons q & a 7.x-3.3

I also set the new 3.3 privacy setting on the groups to 'invite only', in place of the earlier 'private' setting.

Comment	File	Size	Author
#7	commons-trusted-contacts-hide-audience-2063289-7-b.patch	706 bytes	ezra-g
#7	commons-qa-hide-audience-answers-2063289-7.patch	799 bytes	ezra-g
#3	What_up____CL12.png	48.26 KB	ezra-g

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

ezra-g CreditAttribution: ezra-g commented 12 August 2013 at 14:13

Priority:	Normal	» Critical
Issue tags:		+Commons 7.x-3.3 radar

Adding to the 7.x-3.3 radar. Thanks for the bug report.

Comment #2

andyingham CreditAttribution: andyingham commented 12 August 2013 at 17:22

Many thanks for picking this up Ezra.

Comment #3

ezra-g CreditAttribution: ezra-g commented 12 August 2013 at 18:40

Title:	Answers to questions posted in a private group are visible to non-members	» Answer nodes shouldn't display audience selection form
Assigned:	Unassigned	» ezra-g

File	Size
What_up____CL12.png	48.26 KB

I'm not able to reproduce this with Commons packaged from build-commons.dev.make.

However, I do see that the Groups audience/trusted contacts form elements display on answer nodes, when they shouldn't display at all.

Comment #4

andyingham CreditAttribution: andyingham commented 13 August 2013 at 12:32

Hi Ezra,

Ok, I've now re-tested this. It looks as though answers created prior to recent module updates are still visible to non-group members. However, if I create a new question and answer, after having updated modules, then a non-group member is (correctly) prevented from seeing the answer, so that's all good.

However, the posting of the answer does still show in the non-group member's 'Recent site activity' stream (view = Commons Activity Streams - Activity (Site-wide) (Message)). Presumably the filter criteria '(Content entity referenced from field_target_nodes) Content access: Access' should be filtering this out, rather than my having to add an additional filter?

Andy

Comment #5

ezra-g CreditAttribution: ezra-g commented 13 August 2013 at 12:33

What version of Commons were you using when you created the answers?

Comment #6

andyingham CreditAttribution: andyingham commented 13 August 2013 at 12:40

All the answers were posted whilst using Commons 7.x-3.2.

Comment #7

ezra-g CreditAttribution: ezra-g commented 13 August 2013 at 14:22

Status:

Active

» Needs review

File	Size
commons-qa-hide-audience-answers-2063289-7.patch	799 bytes
commons-trusted-contacts-hide-audience-2063289-7-b.patch	706 bytes

@andyingham, please file a new issue so that we can look into this.

Regarding the present issue, one challenge to fixing the present behavior is that both Commons Trusted Contacts and Commons Q_A use hook_module_implements_alter() to change their hook_form_alter() implementations to run last.

I propose we take an approach similar to what QuickTabs module does to address the same challenge with weights. The proposed one-liner patches to Commons_Trusted_contacts and Commons_QA define a $form_state['hide_audience_toggle'] value that allows us to set #access to false on the audience toggle.