Outsiders: combination of individual groups' permissions applies to all groups

I have finally found the way to do it. I think we are good now!
Please check it and I will tag a new release

Thank you, appreciating the progress very much.

In 1f16f22d, a service class seems to be missing so I couldn't test it: Drupal\group_permissions\Access\GroupPermissionChecker (group_permissions.checker)

I forgot to commit it. Now it is there

I found a small bug in GroupPermissionChecker.php (see my gitlab comment, https://git.drupalcode.org/issue/group_permissions-3327680/-/commit/7981...). Fixing it, it looks very good so far, permissions seem to resolve correctly per-group.

Another thing that doesn't yet work is the "view group" permission in a list (like a view, or other access-controlled query result) of groups. The group type (bundle) level permission works as expected, that's implemented in \Drupal\group\QueryAccess\EntityQueryAlter. Is Not sure if there is an easy solution at hand for query altering, I couldn't look very deep into it yet. Is that a regression, or a separate issue? Anyways, a release without that fixed should make sense (it can be worked around somewhat, for example by disabling query altering in a view and filtering results directly in the view).

And again, my approach doesn't work :( I completely forgot about QueryAlter classes. I need some more time to try to find how I can make it work.

Here is a patch has been originated from the MR at commit 798169a7. It adds the following to the MR:

• Fix property assignment $this->groupPermissionsManager = $group_membership_loader
• Add group_list cache tag to the synchronized group permission calculator.
• Add the group bundle "group_permission:{$group_permission->getGroup()->bundle()}:{$group_permission->getGroup()->id()}" to the calculated permission items for the synchronized group permission calculator
• Add new tag "group_permission:{$group_permission->getGroup()->bundle()}:{$group_permission->getGroup()->id()}" to the cached calulated permissions.

Regarding the QueryAlter issues, I think we should fix it in another ticket. It seems there is no an easy way to be fixed in a contrib modules/custom code without overriding the Query alter classes that comes with group module.
The thing is, group module assumes that the group permission items:
- Have only the group id as identifier for the calculated individual group permissions.
- Have only the group bundle as identifier for the calculated synchronized group permissions.
Which is totally prefect for group module. But this is not the case for modules like group_permissions. However, as I mentioned, we could override the query alter classes that are provided by group module. But, I believe the group module should make it easier for other modules
to intervein. So I think we should fix this in a separate ticket. As a workaround, I am applying a local patch to the group module to make the
query alters working with group_permissions.

In one group type, we are running some custom code that checks the access on the from mode of the group type. Due to the fact that the group is not exists on the group create, we get a fatal error:
Drupal\Core\Database\InvalidQueryException: Query condition 'group_permission.gid IN ()' cannot be empty. in Drupal\Core\Database\Query\Condition->condition() (line 117 of core/lib/Drupal/Core/Database/Query/Condition.php).

I think, we should always check the group id before loading group_permission entity by a group..

  public function loadByGroup(GroupInterface $group) {
    if (!$group->id()) {
      return NULL;
    }
    $group_permissions = $this->loadByProperties(['gid' => $group->id()]);
    return !empty($group_permissions) ? reset($group_permissions) : NULL;
  }

Here is the patch in #11 with this little fix included.

i think i am having similar problem:

1. i'm using Group Permissions 2.0-alpha5 with Group 3.2.2
2. by default, my group permissions restricts access to only member, not outsider
3. i create one group (#1) and add one member, permissions are correct for both members and outsiders
4. i give group #1 outsider the same permission as member, new permissions work correctly also (outsider have same permission as members)
5. i create a second group (#2) and without adding member nor changing the permission, outsiders have the same permission as members!

hope this will get resolved soon (:

lobsterr → changed the visibility of the branch 3327680-outsiders-combination-of to hidden.

lobsterr → changed the visibility of the branch 3327680-outsiders-combination-of to active.