Users can still access 'subscribe' link directly for closed groups

[varshith]

Overview

When a group is closed, a user can still go to the 'subscribe' link for that group and still register to that group. This is a bug and needs fixing.

Details

This happens on a site which uses hook_og_user_access_alter to deny permissions for subscribe and subscribe without approval for the group in question.

[pfrenssen]

This allows users to join groups without permission, so this is a security issue. I am tagging this to block the next release. We are still in alpha and not covered by the security policies of the Drupal security team, but it would regardless be a good idea to get this out in the next release.