[CFM-861] Adjust permissions and align groups presentation.

project/profiles/capacity4more/behat/features/group_status.feature

@@ -56,12 +56,6 @@ Feature: Group Status
     And   the "#edit-c4m-og-status-und" element should not contain "pending"
     And   the "#edit-c4m-og-status-und" element should not contain "draft"
 
-  @api
-  Scenario: Check archived group as group owner
-    Given I am logged in as user "alfrednobel"
-    When  I start editing group "Archived group"
-    Then  I should not see an "#edit-c4m-og-status-und" element
-
   @api
   Scenario: Check deleted group as admin
     Given I am logged in as user "mariecurie"
@@ -100,7 +94,7 @@ Feature: Group Status
     Then  I should have access to the page
     And   I visit "Archived group" node of type "group"
     And   I should not see "Access denied"
-    And   I should be allowed to edit a group "Archived group"
+    And   I should not be allowed to edit a group "Archived group"
 
   @api
   Scenario: Check Deleted group dashboard access by group owner
@@ -133,7 +127,7 @@ Feature: Group Status
     Given I am logged in as user "turing"
     When  I visit "Archived group" node of type "group"
     Then  I should not see "Access denied"
-    And   I should be allowed to edit a group "Archived group"
+    And   I should not be allowed to edit a group "Archived group"
 
   @api
   Scenario: Check Deleted group access by group admin

project/profiles/capacity4more/modules/c4m/content/c4m_content/c4m_content.module

@@ -1087,31 +1087,73 @@ function _c4m_content_taxonomy_extract_root_item(&$items) {
 /**
  * Manages access to 'create group content' form.
  *
- * For OG type 'group', allows access for group members and power users.
+ * Allows access for group power users. Members allowed access, when creating
+ * all content types, besides wiki page.
  */
 function c4m_content_create_group_content_access() {
   $item = menu_get_item();
 
+  $regex = '/node\/add\/(discussion|document|event|news|photo|photoalbum|wiki-page)/';
+
   // Making sure the current request is for the node/add form.
-  preg_match('/node\/add\/(discussion|document|event|news|photo(album)?|wiki-page)/', $item['path'], $matches);
+  preg_match($regex, $item['path'], $matches);
   if (empty($matches[0])) {
     return;
   }
 
-  // If not under og context, return early.
+  // If not under og context, deny access.
   if (!$context = og_context()) {
-    drupal_access_denied();
-    drupal_exit();
+    c4m_content_deny_access();
   }
 
-  // Resolve OG group type.
-  $group_type = c4m_og_get_group_type($context);
+  // We allow access only for draft / published groups.
+  $group = node_load($context['gid']);
+  $group_state = c4m_og_get_group_status($group);
+
+  // Site admin may not add content to pending/deleted group.
+  // No other restrictions.
+  if (c4m_user_is_site_admin()) {
+
+    if ($group_state == 'pending' || $group_state == 'deleted') {
+      c4m_content_deny_access();
+    }
+    else {
+      return;
+    }
+  }
 
-  // For type 'group' allow access only to it's members and site admin.
-  if ($group_type == 'group' && !og_is_member('node', $context['gid']) && !c4m_user_is_site_admin()) {
-    drupal_access_denied();
-    drupal_exit();
+  $allowed_states = array('draft', 'published');
+  // Deny access, if group state is not allowed.
+  if (!in_array($group_state, $allowed_states)) {
+    c4m_content_deny_access();
   }
+  else {
+    $user_type = _c4m_features_og_members_get_user_type();
+
+    $allowed_user_types = array(
+      C4M_USER_TYPE_GA,
+      C4M_USER_TYPE_GO,
+    );
+
+    // If content is not wiki page, allow it's creation by group member.
+    $bundle = explode('/', $item['path']);
+    if ($bundle[2] != 'wiki-page') {
+      $allowed_user_types[] = C4M_USER_TYPE_GM;
+    }
+
+    // We allow access to power users, and members, when creating content.
+    if (!in_array($user_type, $allowed_user_types)) {
+      c4m_content_deny_access();
+    }
+  }
+}
+
+/**
+ * Redirects to page 'Access denied'.
+ */
+function c4m_content_deny_access() {
+  drupal_access_denied();
+  drupal_exit();
 }
 
 /**

project/profiles/capacity4more/modules/c4m/content/c4m_content_group/c4m_content_group.module

@@ -11,13 +11,11 @@ define('C4M_CONTENT_GROUP_STATUS_VIEW_PENDING', 0);
 define('C4M_CONTENT_GROUP_STATUS_VIEW_DRAFT', 1);
 define('C4M_CONTENT_GROUP_STATUS_VIEW_PUBLISHED', 2);
 define('C4M_CONTENT_GROUP_STATUS_VIEW_ARCHIVED', 3);
-define('C4M_CONTENT_GROUP_STATUS_VIEW_REJECTED', 4);
 define('C4M_CONTENT_GROUP_STATUS_VIEW_DELETED', 5);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_PENDING', 6);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_DRAFT', 7);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_PUBLISHED', 8);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_ARCHIVED', 9);
-define('C4M_CONTENT_GROUP_STATUS_UPDATE_REJECTED', 10);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_DELETED', 11);
 
 include_once 'c4m_content_group.features.inc';
@@ -207,13 +205,11 @@ function c4m_content_group_node_grants($account = NULL, $op = 'view') {
       C4M_CONTENT_GROUP_STATUS_VIEW_DRAFT,
       C4M_CONTENT_GROUP_STATUS_VIEW_PUBLISHED,
       C4M_CONTENT_GROUP_STATUS_VIEW_ARCHIVED,
-      C4M_CONTENT_GROUP_STATUS_VIEW_REJECTED,
       C4M_CONTENT_GROUP_STATUS_VIEW_DELETED,
       C4M_CONTENT_GROUP_STATUS_UPDATE_PENDING,
       C4M_CONTENT_GROUP_STATUS_UPDATE_DRAFT,
       C4M_CONTENT_GROUP_STATUS_UPDATE_PUBLISHED,
       C4M_CONTENT_GROUP_STATUS_UPDATE_ARCHIVED,
-      C4M_CONTENT_GROUP_STATUS_UPDATE_REJECTED,
       C4M_CONTENT_GROUP_STATUS_UPDATE_DELETED,
     );
     return $grants;

project/profiles/capacity4more/modules/c4m/features_og/c4m_features_og_members/c4m_features_og_members.module

@@ -459,6 +459,64 @@ function _c4m_features_og_members_is_power_user($group = NULL, $user = NULL) {
     og_get_user_roles('node', $group->nid, $user->uid));
 }
 
+/**
+ * Returns the type of user, globally, or within a group.
+ *
+ * Possible types:
+ * - C4M_USER_TYPE_SA -> site administrator.
+ * - C4M_USER_TYPE_GO -> group owner.
+ * - C4M_USER_TYPE_GA -> group administrator.
+ * - C4M_USER_TYPE_GM -> group member.
+ * - C4M_USER_TYPE_NON_MEMBER -> authenticated, not a group member.
+ * - C4M_USER_TYPE_VISITOR -> anonymous user.
+ *
+ * @param object $group
+ *   The group for which we want to check the user.
+ * @param object $user
+ *   The user object.
+ *
+ * @return string|false
+ *   Type of user, globally, or within the group.
+ *   FALSE, if type could not be resolve.
+ */
+function _c4m_features_og_members_get_user_type($group = NULL, $user = NULL) {
+  if (!isset($user)) {
+    global $user;
+  }
+
+  if (user_is_anonymous()) {
+    return C4M_USER_TYPE_VISITOR;
+  }
+
+  // The user has the site wide role 'administrator'.
+  if (in_array('administrator', $user->roles)) {
+    return C4M_USER_TYPE_SA;
+  }
+
+  if (!isset($group)) {
+    $group = c4m_og_current_group();
+  }
+
+  // Currently we're not in a group context, and at that point the user is not
+  // an administrator.
+  if (!$group) {
+    return FALSE;
+  }
+
+  // The user is the group owner.
+  // What is a group owner? see https://www.drupal.org/node/1114858.
+  if ($group->uid === $user->uid) {
+    return C4M_USER_TYPE_GO;
+  }
+
+  // The user has the group role 'administrator member'.
+  if (in_array('administrator member', og_get_user_roles('node', $group->nid, $user->uid))) {
+    return C4M_USER_TYPE_GA;
+  }
+
+  return og_is_member('node', $group->nid) ? C4M_USER_TYPE_GM : C4M_USER_TYPE_NON_MEMBER;
+}
+
 /**
  * Implements hook_entity_property_info_alter().
  */

project/profiles/capacity4more/modules/c4m/field/c4m_field_og/c4m_field_og.module

@@ -157,7 +157,6 @@ function _c4m_field_og_set_status_flow(&$form, $form_state, $type) {
     $unallowed_values = array(
       'pending' => array(
         'archived',
-        'published',
       ),
       'draft' => array(
         'pending',
@@ -175,8 +174,14 @@ function _c4m_field_og_set_status_flow(&$form, $form_state, $type) {
       ),
     );
 
-    if ($type == 'group' && $wrapper->{OG_ACCESS_FIELD}->value()) {
-      unset($unallowed_values['pending']['published']);
+    // For private groups, allow admin user to change group state from pending
+    // to published.
+    if ($type == 'group') {
+      $group_access = c4m_og_get_access_type($entity);
+
+      if ($group_access['type'] != 'private') {
+        $unallowed_values['pending'][] = 'published';
+      }
     }
 
     if (!empty($unallowed_values[$value])) {