Security advisory for group module

wxt includes version 1.6 of the group module which is unaffected by the security advisory

lowering to normal, since wxt is currently not affected.

GROUP support Status
8.x-1.x Drupal 8 / 9 Security fixes only
2.x.x Drupal 9 / 10 Upgrade path from 8.x-1.x
3.x.x Drupal 9 / 10 For fresh installs
It is a good point that Wxt is using an expired generation of this contrib line.

@PratikshaD
related question: how did you download and install Wxt?:

bug.

I was able to apply the patch, I but ran composer update -W after that and the module wasn't upgraded, maybe I am missing something?

@danrod, when you run compose update, dependencies are calculated before patches are applied. This means you can't patch a composer.json file to change the module version like this. You would have to do this in your root composer.json file, for example:

"require": {
  "drupal/group": "2.0.0 as 1.6.0"
}

Yeah since they say group 1.6 isn't supported in D10 prolly something we have to do.

Sadly I do notice that there are no corresponding patches for the 2.x.x line so I'm hoping the problem is just fixed that those patches were attempting to address.

            "drupal/group": {
                "Enter drupal/group patch #2817109 description here":
                "https://www.drupal.org/files/issues/2817109-by-rachel_norfolk-ericras-How-to-redir.patch",
                "Enter drupal/group patch #2864721 description here":
                "https://www.drupal.org/files/issues/2020-07-30/group-translate_content_permission-2864721-20.patch",
                "Enter drupal/group patch #2895988 description here":
                "https://www.drupal.org/files/issues/2022-07-31/2895988-29.patch"
            },

Becomes

            "drupal/group": {
                "Enter drupal/group patch #2817109 description here":
                "https://www.drupal.org/files/issues/2022-11-02/2817109-2.0.x-how-to-redirect-30.patch"
            },

@sylus
I do agree we need to cycle back are review those 2 patches, verify if contrib has 'fixed' in some other way.
otherwise
- see if those issues continue in other issues now.
- port those patches for Group 2.x. if still needed..

We've been developing recently with group 3.2.1 without any patches.

It is working thusfar.

As far as I'm concerned, this doesn't inhibit our desire to upgrade to 5.1.x

Whatever you go with, we'll override the group version and go with 3.2.2 and add patches-ignore for any broken patches.

What I'm most impatient for is a tagged release of 5.1.0-rc1

We're fine with whatever happens with the group module and we will just override composer requirements for this module as needed.

@joseph

#2864721: Group-Permission to translate content →
📌 Improve performance of the membership loader Needs work
loosing these are release manager notes for sure for now.
However, if indeed we are okay in keeping v1 group because it doesn't have the security bug -- then we can PAUSE THIS (revert dev) ISSUE untill we can verify, recover these patches (should be low trouble..)

fyi: I should be able to do this over the next few days. i do have some some other day tasks right now (:

-> going to v3 Group we'll need an upgrade path for COMMENT #6 → . again, we still need to verify the patches/functionality is 'in scope'

please also merge into 5.1.x

Hmm, if this was merged into 5.1.x and pushed into the gitlab repos, normally drupal.org will add the commits into this issue as they have the issue number. I'll check 5.1.x now

I just checked 5.1.x, neither of these commits made it into head.

Probably should either merge 5.0.x and sort out the conflicts or else cherry pick everything that was missed that needs to go in.

It'd probably be easier to take a copy of 5.1.x composer.json , put them aside, merge everything in and then compare the composer.json from the merged branch to the one put aside from before the merge and just see if the merged changes make sense.

I just did a merge locally of 5.0.x to 5.1.x, it's easy enough to sort out the conflicts and they all make sense, mostly just info files for wxt , should be easy to sort out manually.

re: group patches

2895988 - purpose of patch: to add caching to permission lookups.
These seems to be resolved in the Group v2 line by the refactoring around GroupMembershipLoader() now uses a 'NewGroupMembership' (class alias) which now CacheableDependencyInterface. Seems to negate the need for this patch!
class GroupMembership implements CacheableDependencyInterface {

@sylus & @joseph.olstad:

re: #2864721: Group-Permission to translate content →
would either of you perhaps know if https://www.drupal.org/project/group_permissions → be a substitute for this patch? I gather this project would let us build in the same permission to 'translate {gnode} entity'?

secondly, from the original patch on 1.6 where the UI/checkbox options get added?

Thanks @SKAUGHT and I took a look at the other patch and it seems its also resolved and mentioned in this comment here:

https://www.drupal.org/project/group/issues/2864721#comment-13928947 →

Using Drupal 9.1 with Groups, no longer requires this patch (#2864721). It is resolved in Drupal 9.1 (and likely with patch https://www.drupal.org/project/drupal/issues/2972308 → for previous Drupal versions).

The next comment references functionality we might lose but seems like an edge case.

I pushed an update to group ^2.2 with the patches removed and just want to test an upgrade.

Okay with flexible_permissions added and enabled in an earlier release.

Group has been updated to ^2.2 with the comments above still being correct.

Marking this ticket as Fixed after confirming 5.2.x and 5.3.x both have the drupal/group ^2.2, with flexible_permissions.