Great module.

One thing I thought was missing was the ability for groups to be 'owned' by the creator of the group. I want to use this to allow users to create their own content permission groups and manage the users themselves. They may also want to allow other users to manage users.

Problem was that the groups entity doesn't track who created it.

Second problem is that the owning user could accidentally remove themselves from the 'admin' role (and thus user 1 needs to come in and restore them).

Third problem - someone they have added in at administration level could usurp the group owner from the admin role - again needing user 1 to get involved and restore the owner to his rightful place!

So I created a little patch that does the following;

1. Adds a uid property on the group entity (groups table)
2. Provides a setting variable along the lines of your 'default roles'. This setting is used to protect the owning user from having certain roles removed from them by either themselves OR any other user. The exception here is User 1 who can remove them as normal.
3. Uses the settings variable on the Edit member form to disable active checkboxes from being manipulated by anyone other than user 1 for the user who is defined as the owner/creator of the group.

I've checked it and it doesn't seem to bugger things up... which is nice!

Patch to be added on first comment

CommentFileSizeAuthor
#5 add permission.png16.72 KBzhongguo999999
#1 group-Ownership_Protection-2224589-1.patch6.38 KBsabsbrain
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

sabsbrain’s picture

sabsbrain CreditAttribution: sabsbrain commented
FileSize
group-Ownership_Protection-2224589-1.patch6.38 KB

Here is the patch

Apply with

patch -p1 < group-Ownership_Protection-2224589-1.patch

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde commented

Patch looks very interesting, I will look into this. Thanks!

I was thinking of adding a "group author" before but chose to roll with a default role instead. My reasoning behind that decision was that I wanted to avoid an 'abandoned ship' scenario.

If a group author were to leave a group or cancel his account, he would lose control over the groups he had created. In an ideal world, we could work with a 'designate successor' scenario, but in reality that won't work out very well.

Protecting the author from being demoted or kicked by his peers is interesting, though. I've got a feeling this needs a little bit more thought, but your patch most certainly contains very useful code already.

So again, thanks :)

sabsbrain’s picture

sabsbrain CreditAttribution: sabsbrain commented

Hope it helps.

My view is this is an important feature so that groups can be largely self-managing.

I see your excellent module as a 'Group API' type of thing. It provides the facilities to manage groups and then you extend from that.

Regarding a better solution to ownership (mine is admittedly a simple blunt instrument), I'd say keep it simple.

  • Creator of the group is recorded as the owner and probably should be treated as the 'User 1' of this group (this removes the risk of having permissions accidentally removed by others and thus ditches my kludge for protection roles)
  • If the creator leaves the group, then he can simply change the ownership to one of the members via a simple form. That then stamps that user as the new owner.
  • If the creator doesn't do this then the site can operate much like drupal.org for 'abandoned' projects - you contact someone to ask them to transfer the group to you and a site administrator does that when they are satisfied the original user has abandoned the group / site.

A more advanced transfer method probably should be a separate (contrib) module?
Multiple owners should again be a contrib extension.

Anyway. I look forward to a more permanent solution to this and will happily help out if I can!

ctrlADel’s picture

ctrlADel
Primary language English
Location North Carolina, USA
CreditAttribution: ctrlADel commented

I've come across this problem now and I think that assigning the group creator all the permissions would be a bit overkill. As it stands the current drupal permissions related to the module aren't granular enough to allow for anybody but a site admin of some sort to be changing the permissions/roles of a group so all you have to protect against is the last group admin removing their admin role or leaving the group. Since this is the case all you really need to do is protect the admin role of the last member with admin permissions. So on the roles management page add a check box for each role that signifies it as 'administrator' role/s then before removing a role or membership check to see if it is the last admin role in the group. If it is don't allow the member to leave/be removed or remove that role. In the case of a group type not needing a group admin because it is administered by site admins selecting no roles should be an option and mean that there are no checks for the last admin.

The only thing i'm not really sure about is should the checked roles be treated as an AND or OR. Like should the group contain a member with at least one of the admin roles or should a group contain a member with all of the admin roles. How would global and local roles interact in that sense also? Questions upon questions.

zhongguo999999’s picture

zhongguo999999 CreditAttribution: zhongguo999999 commented
FileSize
add permission.png16.72 KB

I want to use this module to allow users to create their own group and manage the users themselves.

So my advice would be:
1. The group creator can administer their own group.
2. The group creator can administer their group members.

Of course, for security implications, remove the group creator's permission that assign a role to a user.

Great module, thank you.

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde commented

Hey there, i'ts been hectic around the office, I'll get back to you as soon as I can :)

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde commented

Okay zhongguo999999, I've got some time to respond now. Consider this a 'support request' until I've figured out which way I want to go with group authors.

For your use case, I recommend the following:

  1. create a group role "Owner" (global or specific, your choice)
  2. assign the "Administer group" and "Administer group members" permissions to "Owner"
  3. set the group type's default role as "Owner"

Anyone who now creates a group, automatically gains admin rights for that group.

zhongguo999999’s picture

zhongguo999999 CreditAttribution: zhongguo999999 commented

@kristiaanvandeneynde
Thanks very much for your reply.

This is a good solution.
Actually, that is what I have done.

But sadly, we can never be sure who is the author of the group. It would be impossible for me to limit the number of group someone creates. It would be impossible for me to restrict permission between author and admin.

Thank you again, I'd love to hear any suggestions y'all might have, or any insight towards doing this.

nickonom’s picture

nickonom CreditAttribution: nickonom commented

I am hitting exactly the same wall as the original author - need to protect group owner from accidentally removing herself from owner role. Unfortunately, the patch doesn't apply anymore as it was created against now non-existent /admin/group.config.inc file, so apparently the module has changed a lot since two years ago, when this request was originally filed. I second this request and hope that some good solution will be implemented to meet it. Thanks!

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented

Have you tried the suggestion in #7?

nickonom’s picture

nickonom CreditAttribution: nickonom commented

Hi Kristiaan,

Yes, I am doing exactly like suggested in #7, however that doesn't prevent owner to remove herself from the role. And when she does then she looses view access to the group despite the fact she still remains a member of the group. Which is also not desirable result.

kristiaanvandeneynde’s picture

kristiaanvandeneynde
Primary language Dutch
Location Antwerp, Belgium
CreditAttribution: kristiaanvandeneynde at Deeson commented

Hmm, seems like this feature request would be a good fit for a submodule or contrib module: role permissions. Choose which roles a member can assign or remove based on permissions. Something like:

* Assign role Editor to a member
* Remove role Editor from a member
* Assign role Creator to a member
* Remove role Creator from a member

Something along those lines would not only solve this use case, but potentially many others as well.

nickonom’s picture

nickonom CreditAttribution: nickonom commented

You nailed it, the "role permissions" module would do great not only for this module, but Drupal at whole.

nickonom’s picture

nickonom CreditAttribution: nickonom commented
Status: Needs review » Active

Changing status back to just Active as the patch doesn't apply anymore, so no need for reviews.

Soul88’s picture

Soul88
Primary language Ukrainian
Location Ukraine
CreditAttribution: Soul88 commented
Status: Active » Closed (outdated)

We thank everyone for their collaboration on this issue, but as the D7 version is no longer supported, we will now close all D7 issues to keep the issue queue a bit tidier. This information won't go anywhere, it just won't show up on the list of open issues anymore.

Please see: https://www.drupal.org/project/group/issues/3163655 and https://www.drupal.org/project/group/issues/3203863#comment-14100281 for more details.