Provide "delete" entity operation access checks on group entities
Closed this issue · 0 comments
Currently we only have full entity operation access checks for group content (see for example OgEventSubscriber::provideDefaultNodePermissions()
which supplies these for node group content).
We have a group permission called update group
but this is not currently enforced and (edit: is enforced now, ref. #673) test coverage for this is incomplete (ref. a user with this permission (user4
) is created in OgEntityAccessTest
but the test doesn't actually check that this user has edit access and other users don't.
We are also lacking a delete group
permission. I think a create group
permission is not needed, since this is controlled by Drupal permissions (a newly created group doesn't have any members yet so we cannot control this using an OG permission). We are ignoring view permissions too.
In order to fulfill this I propose:
- Create a new
GroupPermission
to delete groups, apply it to the group admin by default, and treat it in the same way as theUPDATE_GROUP_PERMISSION
. - Extend the tests, not only on the return value of the access checks like is being done in
OgEntityAccessTest
but also in scenarios where groups are actually being updated and deleted, i.e. throughhook_entity_access()
.