From 138da4840d8a46ada41ae46b521ba7d00b3bf129 Mon Sep 17 00:00:00 2001 From: Roman Chekhaniuk Date: Thu, 28 Nov 2024 17:07:52 +0200 Subject: [PATCH] Issue #3490462: Revoke "Join group" and "request group membership" from Authenticated (outsider) group role. --- .../group.role.flexible_group-outsider.yml | 1 - .../group.role.flexible_group-verified.yml | 1 + .../social_group_flexible_group.install | 35 +++++++++++++++++++ .../src/Subscriber/Route.php | 1 + .../SocialGroupInvitationController.php | 28 +++++++++++++++ .../SocialGroupInvitationOperations.php | 3 +- .../src/Routing/RouteSubscriber.php | 9 +++++ .../social_group_request.install | 8 ++--- .../src/SocialGroupRequestConfigOverride.php | 13 ------- 9 files changed, 80 insertions(+), 19 deletions(-) create mode 100644 modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationController.php diff --git a/modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-outsider.yml b/modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-outsider.yml index 51634f54ec5..938eee07eb0 100644 --- a/modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-outsider.yml +++ b/modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-outsider.yml @@ -13,7 +13,6 @@ group_type: flexible_group permissions: - 'access comments' - 'access posts in group' - - 'join group' - 'update own group_node:event entity' - 'update own group_node:topic entity' - 'view group' diff --git a/modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-verified.yml b/modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-verified.yml index 5fc80a3e9f0..c7223c16a76 100644 --- a/modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-verified.yml +++ b/modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-verified.yml @@ -13,6 +13,7 @@ permissions: - 'access comments' - 'access posts in group' - 'join group' + - 'request group membership' - 'update own group_node:event entity' - 'update own group_node:topic entity' - 'view group' diff --git a/modules/social_features/social_group/modules/social_group_flexible_group/social_group_flexible_group.install b/modules/social_features/social_group/modules/social_group_flexible_group/social_group_flexible_group.install index 65117c7f27c..66937b83745 100644 --- a/modules/social_features/social_group/modules/social_group_flexible_group/social_group_flexible_group.install +++ b/modules/social_features/social_group/modules/social_group_flexible_group/social_group_flexible_group.install @@ -7,6 +7,7 @@ use Drupal\Core\Config\FileStorage; use Drupal\group\Entity\GroupInterface; +use Drupal\group\Entity\GroupRoleInterface; use Drupal\group\GroupMembership; use Drupal\social_group\Entity\Group; use Drupal\user\Entity\User; @@ -332,3 +333,37 @@ function social_group_flexible_group_update_130008(): void { ->set('content', $content) ->save(); } + +/** + * Revoke permissions for Authenticated (outsider) group role. + */ +function social_group_flexible_group_update_130009(): void { + $group_authenticated_role = \Drupal::entityTypeManager() + ->getStorage('group_role') + ->load('flexible_group-outsider'); + + if ($group_authenticated_role instanceof GroupRoleInterface) { + $group_authenticated_role->revokePermissions([ + 'join group', + 'request group membership', + ])->save(); + } + +} + +/** + * Grant permissions for Verified (outsider) group role. + */ +function social_group_flexible_group_update_130010(): void { + $group_verified_role = \Drupal::entityTypeManager() + ->getStorage('group_role') + ->load('flexible_group-verified'); + + if ($group_verified_role instanceof GroupRoleInterface) { + $group_verified_role->grantPermissions([ + 'join group', + 'request group membership', + ])->save(); + } + +} diff --git a/modules/social_features/social_group/modules/social_group_flexible_group/src/Subscriber/Route.php b/modules/social_features/social_group/modules/social_group_flexible_group/src/Subscriber/Route.php index 24dfd31ee63..aa7c91e627c 100644 --- a/modules/social_features/social_group/modules/social_group_flexible_group/src/Subscriber/Route.php +++ b/modules/social_features/social_group/modules/social_group_flexible_group/src/Subscriber/Route.php @@ -57,6 +57,7 @@ protected function alterRoutes(RouteCollection $collection) { $route->addRequirements($requirements); } } + } } diff --git a/modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationController.php b/modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationController.php new file mode 100644 index 00000000000..f577420af5d --- /dev/null +++ b/modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationController.php @@ -0,0 +1,28 @@ +getGroup(); + + if (!$group->hasPermission('join group', $this->currentUser())) { + AccessResult::forbidden(); + } + + return $result; + } + +} diff --git a/modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationOperations.php b/modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationOperations.php index 85cb616c611..bca4dffb66c 100644 --- a/modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationOperations.php +++ b/modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationOperations.php @@ -61,9 +61,10 @@ public function accepted(Request $request, GroupRelationshipInterface $group_con */ public function checkAccess(GroupRelationshipInterface $group_content) { $invited = $group_content->getEntityId(); + $group = $group_content->getGroup(); // Only allow user accept/decline own invitations. - if ($invited == $this->currentUser()->id()) { + if ($invited == $this->currentUser()->id() && $group->hasPermission('join group', $this->currentUser())) { return AccessResult::allowed(); } return AccessResult::forbidden(); diff --git a/modules/social_features/social_group/modules/social_group_invite/src/Routing/RouteSubscriber.php b/modules/social_features/social_group/modules/social_group_invite/src/Routing/RouteSubscriber.php index 987cfc0062a..2f429a312b6 100644 --- a/modules/social_features/social_group/modules/social_group_invite/src/Routing/RouteSubscriber.php +++ b/modules/social_features/social_group/modules/social_group_invite/src/Routing/RouteSubscriber.php @@ -3,6 +3,7 @@ namespace Drupal\social_group_invite\Routing; use Drupal\Core\Routing\RouteSubscriberBase; +use Drupal\social_group_invite\Controller\SocialGroupInvitationController; use Symfony\Component\Routing\RouteCollection; /** @@ -26,6 +27,14 @@ protected function alterRoutes(RouteCollection $collection) { $route->setDefaults($defaults); $route->setRequirements($requirements); } + + // Do not allow to accept invitation without "join group" permission. + if ($route = $collection->get('ginvite.invitation.accept')) { + $route->setRequirement( + '_custom_access', + SocialGroupInvitationController::class . '::checkAccess', + ); + } } } diff --git a/modules/social_features/social_group/modules/social_group_request/social_group_request.install b/modules/social_features/social_group/modules/social_group_request/social_group_request.install index aa9c5722315..33c99be04ed 100644 --- a/modules/social_features/social_group/modules/social_group_request/social_group_request.install +++ b/modules/social_features/social_group/modules/social_group_request/social_group_request.install @@ -40,11 +40,11 @@ function social_group_request_update_dependencies(): array { */ function _social_group_request_set_permissions(): void { if (\Drupal::moduleHandler()->moduleExists('social_group_flexible_group')) { - /** @var \Drupal\group\Entity\GroupRoleInterface $outsider */ - $outsider = \Drupal::entityTypeManager() + /** @var \Drupal\group\Entity\GroupRoleInterface $verified */ + $verified = \Drupal::entityTypeManager() ->getStorage('group_role') - ->load('flexible_group-outsider'); - $outsider->grantPermission('request group membership')->save(); + ->load('flexible_group-verified'); + $verified->grantPermission('request group membership')->save(); /** @var \Drupal\group\Entity\GroupRoleInterface $group_manager */ $group_manager = \Drupal::entityTypeManager() diff --git a/modules/social_features/social_group/modules/social_group_request/src/SocialGroupRequestConfigOverride.php b/modules/social_features/social_group/modules/social_group_request/src/SocialGroupRequestConfigOverride.php index a569fed1a92..11ce8d3d6b4 100644 --- a/modules/social_features/social_group/modules/social_group_request/src/SocialGroupRequestConfigOverride.php +++ b/modules/social_features/social_group/modules/social_group_request/src/SocialGroupRequestConfigOverride.php @@ -87,19 +87,6 @@ public function loadOverrides($names) { $outsider_role_configs = []; foreach ($social_group_types as $social_group_type) { $default_form_display_configs[] = "core.entity_form_display.group.{$social_group_type}.default"; - $outsider_role_configs[] = "group.role.{$social_group_type}-outsider"; - } - - foreach ($outsider_role_configs as $config_name) { - if (in_array($config_name, $names)) { - $config = $this->configFactory->getEditable($config_name); - $permissions = $config->get('permissions'); - $permissions[] = 'request group membership'; - - $overrides[$config_name] = [ - 'permissions' => $permissions, - ]; - } } foreach ($default_form_display_configs as $config_name) {