Outsiders: combination of individual groups' permissions applies to all groups

Created on 16 December 2022, about 2 years ago
Updated 12 September 2024, 4 months ago

Problem/Motivation

In my setups (incl. a clean setup from scratch), setting for example these individual permissions:

  • Group A: + group-outsider[view group]
  • Group B: + group-outsider[join group]

results in outsiders being able to both see and join groups A and B.

It makes no difference how these permissions are set globally (with group module).

Steps to reproduce

  • Enable group, group_permissions
  • Add an additional user account
  • Add a group type
  • Set permission: group admin can override permissions per group
  • As admin, create two groups (1 and 2), become group admin
  • Override permissions for group 1: add "Outsider: View published group"
  • As the additional user, both groups can be accessed.
  • The same applies to any permission: both groups will have it

Proposed resolution

I haven't figured out the reason yet.

Remaining tasks

Try more things: check if only outsider permissions are affected, check the scope of "combined permissions" (per owning user or all existing groups?)

🐛 Bug report
Status

Needs work

Version

2.0

Component

Code

Created by

🇩🇪Germany kmetz

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • @lobsterr opened merge request.
  • 🇧🇪Belgium lobsterr

    I have finally found the way to do it. I think we are good now!
    Please check it and I will tag a new release

  • 🇩🇪Germany kmetz

    Thank you, appreciating the progress very much.

    In 1f16f22d, a service class seems to be missing so I couldn't test it: Drupal\group_permissions\Access\GroupPermissionChecker (group_permissions.checker)

  • Status changed to Needs work almost 2 years ago
  • Status changed to Needs review almost 2 years ago
  • 🇧🇪Belgium lobsterr

    I forgot to commit it. Now it is there

  • Status changed to Needs work almost 2 years ago
  • 🇩🇪Germany kmetz

    I found a small bug in GroupPermissionChecker.php (see my gitlab comment, https://git.drupalcode.org/issue/group_permissions-3327680/-/commit/7981...). Fixing it, it looks very good so far, permissions seem to resolve correctly per-group.

    Another thing that doesn't yet work is the "view group" permission in a list (like a view, or other access-controlled query result) of groups. The group type (bundle) level permission works as expected, that's implemented in \Drupal\group\QueryAccess\EntityQueryAlter. Is Not sure if there is an easy solution at hand for query altering, I couldn't look very deep into it yet. Is that a regression, or a separate issue? Anyways, a release without that fixed should make sense (it can be worked around somewhat, for example by disabling query altering in a view and filtering results directly in the view).

  • Assigned to lobsterr
  • 🇧🇪Belgium lobsterr

    And again, my approach doesn't work :( I completely forgot about QueryAlter classes. I need some more time to try to find how I can make it work.

  • 🇧🇪Belgium msnassar

    Here is a patch has been originated from the MR at commit 798169a7. It adds the following to the MR:

    • Fix property assignment $this->groupPermissionsManager = $group_membership_loader
    • Add group_list cache tag to the synchronized group permission calculator.
    • Add the group bundle "group_permission:{$group_permission->getGroup()->bundle()}:{$group_permission->getGroup()->id()}" to the calculated permission items for the synchronized group permission calculator
    • Add new tag "group_permission:{$group_permission->getGroup()->bundle()}:{$group_permission->getGroup()->id()}" to the cached calulated permissions.

    Regarding the QueryAlter issues, I think we should fix it in another ticket. It seems there is no an easy way to be fixed in a contrib modules/custom code without overriding the Query alter classes that comes with group module.
    The thing is, group module assumes that the group permission items:
    - Have only the group id as identifier for the calculated individual group permissions.
    - Have only the group bundle as identifier for the calculated synchronized group permissions.
    Which is totally prefect for group module. But this is not the case for modules like group_permissions. However, as I mentioned, we could override the query alter classes that are provided by group module. But, I believe the group module should make it easier for other modules
    to intervein. So I think we should fix this in a separate ticket. As a workaround, I am applying a local patch to the group module to make the
    query alters working with group_permissions.

  • 🇧🇪Belgium msnassar

    In one group type, we are running some custom code that checks the access on the from mode of the group type. Due to the fact that the group is not exists on the group create, we get a fatal error:
    Drupal\Core\Database\InvalidQueryException: Query condition 'group_permission.gid IN ()' cannot be empty. in Drupal\Core\Database\Query\Condition->condition() (line 117 of core/lib/Drupal/Core/Database/Query/Condition.php).

    I think, we should always check the group id before loading group_permission entity by a group..

      public function loadByGroup(GroupInterface $group) {
        if (!$group->id()) {
          return NULL;
        }
        $group_permissions = $this->loadByProperties(['gid' => $group->id()]);
        return !empty($group_permissions) ? reset($group_permissions) : NULL;
      }

    Here is the patch in #11 with this little fix included.

  • i think i am having similar problem:

    1. i'm using Group Permissions 2.0-alpha5 with Group 3.2.2
    2. by default, my group permissions restricts access to only member, not outsider
    3. i create one group (#1) and add one member, permissions are correct for both members and outsiders
    4. i give group #1 outsider the same permission as member, new permissions work correctly also (outsider have same permission as members)
    5. i create a second group (#2) and without adding member nor changing the permission, outsiders have the same permission as members!

    hope this will get resolved soon (:

  • 🇧🇪Belgium lobsterr

    lobsterr changed the visibility of the branch 3327680-outsiders-combination-of to hidden.

  • 🇧🇪Belgium lobsterr

    lobsterr changed the visibility of the branch 3327680-outsiders-combination-of to active.

Production build 0.71.5 2024