Issue #3490462: Revoke "Join group" and "request group membership" fr…

…om Authenticated (outsider) group role.
goalgorilla · Dec 11, 2024 · 138da48 · 138da48
1 parent 020f5e4
commit 138da48
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 19 deletions.
diff --git a/...modules/social_group_flexible_group/config/install/group.role.flexible_group-outsider.yml b/...modules/social_group_flexible_group/config/install/group.role.flexible_group-outsider.yml
@@ -13,7 +13,6 @@ group_type: flexible_group
 permissions:
   - 'access comments'
   - 'access posts in group'
-  - 'join group'
   - 'update own group_node:event entity'
   - 'update own group_node:topic entity'
   - 'view group'

diff --git a/...modules/social_group_flexible_group/config/install/group.role.flexible_group-verified.yml b/...modules/social_group_flexible_group/config/install/group.role.flexible_group-verified.yml
@@ -13,6 +13,7 @@ permissions:
   - 'access comments'
   - 'access posts in group'
   - 'join group'
+  - 'request group membership'
   - 'update own group_node:event entity'
   - 'update own group_node:topic entity'
   - 'view group'

diff --git a/...ures/social_group/modules/social_group_flexible_group/social_group_flexible_group.install b/...ures/social_group/modules/social_group_flexible_group/social_group_flexible_group.install
@@ -7,6 +7,7 @@
 
 use Drupal\Core\Config\FileStorage;
 use Drupal\group\Entity\GroupInterface;
+use Drupal\group\Entity\GroupRoleInterface;
 use Drupal\group\GroupMembership;
 use Drupal\social_group\Entity\Group;
 use Drupal\user\Entity\User;
@@ -332,3 +333,37 @@ function social_group_flexible_group_update_130008(): void {
     ->set('content', $content)
     ->save();
 }
+
+/**
+ * Revoke permissions for Authenticated (outsider) group role.
+ */
+function social_group_flexible_group_update_130009(): void {
+  $group_authenticated_role = \Drupal::entityTypeManager()
+    ->getStorage('group_role')
+    ->load('flexible_group-outsider');
+
+  if ($group_authenticated_role instanceof GroupRoleInterface) {
+    $group_authenticated_role->revokePermissions([
+      'join group',
+      'request group membership',
+    ])->save();
+  }
+
+}
+
+/**
+ * Grant permissions for Verified (outsider) group role.
+ */
+function social_group_flexible_group_update_130010(): void {
+  $group_verified_role = \Drupal::entityTypeManager()
+    ->getStorage('group_role')
+    ->load('flexible_group-verified');
+
+  if ($group_verified_role instanceof GroupRoleInterface) {
+    $group_verified_role->grantPermissions([
+      'join group',
+      'request group membership',
+    ])->save();
+  }
+
+}
diff --git a/...social_features/social_group/modules/social_group_flexible_group/src/Subscriber/Route.php b/...social_features/social_group/modules/social_group_flexible_group/src/Subscriber/Route.php
@@ -57,6 +57,7 @@ protected function alterRoutes(RouteCollection $collection) {
         $route->addRequirements($requirements);
       }
     }
+
   }
 
 }
diff --git a/...cial_group/modules/social_group_invite/src/Controller/SocialGroupInvitationController.php b/...cial_group/modules/social_group_invite/src/Controller/SocialGroupInvitationController.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace Drupal\social_group_invite\Controller;
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\ginvite\Controller\InvitationOperations;
+use Drupal\group\Entity\GroupRelationshipInterface;
+
+/**
+ * Handles Accept/Decline operations and Access check for Social groups.
+ */
+class SocialGroupInvitationController extends InvitationOperations {
+
+  /**
+   * {@inheritDoc}
+   */
+  public function checkAccess(GroupRelationshipInterface $group_content): AccessResult {
+    $result = parent::checkAccess($group_content);
+    $group = $group_content->getGroup();
+
+    if (!$group->hasPermission('join group', $this->currentUser())) {
+      AccessResult::forbidden();
+    }
+
+    return $result;
+  }
+
+}
diff --git a/...cial_group/modules/social_group_invite/src/Controller/SocialGroupInvitationOperations.php b/...cial_group/modules/social_group_invite/src/Controller/SocialGroupInvitationOperations.php
@@ -61,9 +61,10 @@ public function accepted(Request $request, GroupRelationshipInterface $group_con
    */
   public function checkAccess(GroupRelationshipInterface $group_content) {
     $invited = $group_content->getEntityId();
+    $group = $group_content->getGroup();
 
     // Only allow user accept/decline own invitations.
-    if ($invited == $this->currentUser()->id()) {
+    if ($invited == $this->currentUser()->id() && $group->hasPermission('join group', $this->currentUser())) {
       return AccessResult::allowed();
     }
     return AccessResult::forbidden();

diff --git a/.../social_features/social_group/modules/social_group_invite/src/Routing/RouteSubscriber.php b/.../social_features/social_group/modules/social_group_invite/src/Routing/RouteSubscriber.php
@@ -3,6 +3,7 @@
 namespace Drupal\social_group_invite\Routing;
 
 use Drupal\Core\Routing\RouteSubscriberBase;
+use Drupal\social_group_invite\Controller\SocialGroupInvitationController;
 use Symfony\Component\Routing\RouteCollection;
 
 /**
@@ -26,6 +27,14 @@ protected function alterRoutes(RouteCollection $collection) {
       $route->setDefaults($defaults);
       $route->setRequirements($requirements);
     }
+
+    // Do not allow to accept invitation without "join group" permission.
+    if ($route = $collection->get('ginvite.invitation.accept')) {
+      $route->setRequirement(
+        '_custom_access',
+        SocialGroupInvitationController::class . '::checkAccess',
+      );
+    }
   }
 
 }
diff --git a/...es/social_features/social_group/modules/social_group_request/social_group_request.install b/...es/social_features/social_group/modules/social_group_request/social_group_request.install
@@ -40,11 +40,11 @@ function social_group_request_update_dependencies(): array {
  */
 function _social_group_request_set_permissions(): void {
   if (\Drupal::moduleHandler()->moduleExists('social_group_flexible_group')) {
-    /** @var \Drupal\group\Entity\GroupRoleInterface $outsider */
-    $outsider = \Drupal::entityTypeManager()
+    /** @var \Drupal\group\Entity\GroupRoleInterface $verified */
+    $verified = \Drupal::entityTypeManager()
       ->getStorage('group_role')
-      ->load('flexible_group-outsider');
-    $outsider->grantPermission('request group membership')->save();
+      ->load('flexible_group-verified');
+    $verified->grantPermission('request group membership')->save();
 
     /** @var \Drupal\group\Entity\GroupRoleInterface $group_manager */
     $group_manager = \Drupal::entityTypeManager()

diff --git a/...atures/social_group/modules/social_group_request/src/SocialGroupRequestConfigOverride.php b/...atures/social_group/modules/social_group_request/src/SocialGroupRequestConfigOverride.php
@@ -87,19 +87,6 @@ public function loadOverrides($names) {
     $outsider_role_configs = [];
     foreach ($social_group_types as $social_group_type) {
       $default_form_display_configs[] = "core.entity_form_display.group.{$social_group_type}.default";
-      $outsider_role_configs[] = "group.role.{$social_group_type}-outsider";
-    }
-
-    foreach ($outsider_role_configs as $config_name) {
-      if (in_array($config_name, $names)) {
-        $config = $this->configFactory->getEditable($config_name);
-        $permissions = $config->get('permissions');
-        $permissions[] = 'request group membership';
-
-        $overrides[$config_name] = [
-          'permissions' => $permissions,
-        ];
-      }
     }
 
     foreach ($default_form_display_configs as $config_name) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -57,6 +57,7 @@ protected function alterRoutes(RouteCollection $collection) { @@
             $route->addRequirements($requirements);
           }
         }
       }
     }