og icon indicating copy to clipboard operation
og copied to clipboard

Published 20 hours ago verified publisher icon Gizra

group_manager_full_access results in content owner having full access

Open heddn opened this issue 7 years ago • 1 comments

When enabled the group manager will have all the permissions in the group.

The below doesn't meet expectations. It gives content owner full access on the content, including delete. I didn't grant this user delete permission. But they get it anyway.

In OgAccess:

    if ($config->get('group_manager_full_access') && $user->isAuthenticated() && $group instanceof EntityOwnerInterface) {
      $cacheable_metadata->addCacheableDependency($group);
      if ($group->getOwnerId() == $user->id()) {
        return AccessResult::allowed()->addCacheableDependency($cacheable_metadata);
      }
    }

heddn avatar Aug 10 '18 17:08 heddn

In OG the "group manager" is an alias for the owner of the group entity. So this flag controls full access for the group entity owner / author.

With "content owner" do you mean the owner of the group entity or of the group content entity?

pfrenssen avatar Aug 12 '20 07:08 pfrenssen