[CFM-861-fixes] Finilize permissions adjustments, and groups presentation alignment.

project/profiles/capacity4more/behat/features/group_status.feature

@@ -56,12 +56,6 @@ Feature: Group Status
     And   the "#edit-c4m-og-status-und" element should not contain "pending"
     And   the "#edit-c4m-og-status-und" element should not contain "draft"
 
-  @api
-  Scenario: Check archived group as group owner
-    Given I am logged in as user "alfrednobel"
-    When  I start editing group "Archived group"
-    Then  I should not see an "#edit-c4m-og-status-und" element
-
   @api
   Scenario: Check deleted group as admin
     Given I am logged in as user "mariecurie"
@@ -100,7 +94,7 @@ Feature: Group Status
     Then  I should have access to the page
     And   I visit "Archived group" node of type "group"
     And   I should not see "Access denied"
-    And   I should be allowed to edit a group "Archived group"
+    And   I should not be allowed to edit a group "Archived group"
 
   @api
   Scenario: Check Deleted group dashboard access by group owner
@@ -133,7 +127,7 @@ Feature: Group Status
     Given I am logged in as user "turing"
     When  I visit "Archived group" node of type "group"
     Then  I should not see "Access denied"
-    And   I should be allowed to edit a group "Archived group"
+    And   I should not be allowed to edit a group "Archived group"
 
   @api
   Scenario: Check Deleted group access by group admin

project/profiles/capacity4more/modules/c4m/content/c4m_content/c4m_content.module

@@ -1090,8 +1090,11 @@ function _c4m_content_taxonomy_extract_root_item(&$items) {
 function c4m_content_create_group_content_access() {
   $item = menu_get_item();
 
+  $bundles = c4m_og_get_all_group_content_bundles('node');
+  $regex = '/node\/add\/(' . implode('|', array_keys($bundles)) . ')/';
+
   // Making sure the current request is for the node/add form.
-  preg_match('/node\/add\/(discussion|document|event|news|photo(album)?|wiki-page)/', $item['path'], $matches);
+  preg_match($regex, $item['path'], $matches);
   if (empty($matches[0])) {
     return;
   }
@@ -1102,11 +1105,26 @@ function c4m_content_create_group_content_access() {
     drupal_exit();
   }
 
-  // Resolve OG group type.
-  $group_type = c4m_og_get_group_type($context);
+  $deny_access = FALSE;
+  // We allow access only for draft / published groups.
+  $group = node_load($context['gid']);
+  $group_state = c4m_og_get_group_status($group);
+  $allowed_states = array('draft', 'published');
+
+  // Can't resolve group state, or group state is not allowed.
+  if (!$group_state || !in_array($group_state, $allowed_states)) {
+    $deny_access = TRUE;
+  }
+  else {
+    $user_type = _c4m_features_og_members_get_user_type();
+    // We allow access to power users, and members, when creating content.
+    $allowed_user_types = array('member', 'admin', 'owner', 'site-admin');
+    if (!in_array($user_type, $allowed_user_types)) {
+      $deny_access = TRUE;
+    }
+  }
 
-  // For type 'group' allow access only to it's members and site admin.
-  if ($group_type == 'group' && !og_is_member('node', $context['gid']) && !c4m_user_is_site_admin()) {
+  if ($deny_access) {
     drupal_access_denied();
     drupal_exit();
   }

project/profiles/capacity4more/modules/c4m/content/c4m_content_group/c4m_content_group.module

@@ -11,13 +11,11 @@ define('C4M_CONTENT_GROUP_STATUS_VIEW_PENDING', 0);
 define('C4M_CONTENT_GROUP_STATUS_VIEW_DRAFT', 1);
 define('C4M_CONTENT_GROUP_STATUS_VIEW_PUBLISHED', 2);
 define('C4M_CONTENT_GROUP_STATUS_VIEW_ARCHIVED', 3);
-define('C4M_CONTENT_GROUP_STATUS_VIEW_REJECTED', 4);
 define('C4M_CONTENT_GROUP_STATUS_VIEW_DELETED', 5);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_PENDING', 6);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_DRAFT', 7);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_PUBLISHED', 8);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_ARCHIVED', 9);
-define('C4M_CONTENT_GROUP_STATUS_UPDATE_REJECTED', 10);
 define('C4M_CONTENT_GROUP_STATUS_UPDATE_DELETED', 11);
 
 include_once 'c4m_content_group.features.inc';
@@ -207,13 +205,11 @@ function c4m_content_group_node_grants($account = NULL, $op = 'view') {
       C4M_CONTENT_GROUP_STATUS_VIEW_DRAFT,
       C4M_CONTENT_GROUP_STATUS_VIEW_PUBLISHED,
       C4M_CONTENT_GROUP_STATUS_VIEW_ARCHIVED,
-      C4M_CONTENT_GROUP_STATUS_VIEW_REJECTED,
       C4M_CONTENT_GROUP_STATUS_VIEW_DELETED,
       C4M_CONTENT_GROUP_STATUS_UPDATE_PENDING,
       C4M_CONTENT_GROUP_STATUS_UPDATE_DRAFT,
       C4M_CONTENT_GROUP_STATUS_UPDATE_PUBLISHED,
       C4M_CONTENT_GROUP_STATUS_UPDATE_ARCHIVED,
-      C4M_CONTENT_GROUP_STATUS_UPDATE_REJECTED,
       C4M_CONTENT_GROUP_STATUS_UPDATE_DELETED,
     );
     return $grants;

project/profiles/capacity4more/modules/c4m/message/c4m_message/c4m_message.module

@@ -487,37 +487,6 @@ function _c4m_message_format_from_field_to_simple_pattern(&$message, $add_team =
       '@mail' => 'capacity4dev@ec.europa.eu',
     )
   );
-
-  _c4m_message_process_email_body($message);
-}
-
-/**
- * Implements hook_theme().
- */
-function c4m_message_theme() {
-
-  $theme['c4m_message_email_body'] = array(
-    'variables' => array(
-      'body' => '',
-    ),
-    'path' => drupal_get_path('theme', 'kapablo') . '/templates',
-    'template' => 'mimemail-message-orig',
-  );
-
-  return $theme;
-}
-
-/**
- * Implements hook_theme().
- */
-function _c4m_message_process_email_body(&$message) {
-  $body = $message['body'][0];
-  $variables = array(
-    'body' => $body,
-  );
-
-  $body[0] = theme('c4m_message_email_body', $variables);
-  $message['body']  = $body;
 }
 
 /**

project/profiles/capacity4more/modules/c4m/og/c4m_og/c4m_og.module

@@ -2205,102 +2205,144 @@ function c4m_og_get_group_status($group) {
  * in case this option is allowed (c4m_edit_by_members).
  */
 function c4m_og_node_access($node, $op, $account) {
-  if ($op == 'delete') {
-    if (og_is_group('node', $node) && !user_access('administer nodes')) {
-      return NODE_ACCESS_DENY;
-    }
+  global $user;
 
-    // Power user should always have access to delete group content.
-    if (($group = c4m_og_get_group_of_content($node)) && _c4m_features_og_members_is_power_user($group)) {
-      return NODE_ACCESS_ALLOW;
-    }
+  // Only site admin may delete groups.
+  if ($op == 'delete' && og_is_group('node', $node) && !user_access('administer nodes')) {
+    return NODE_ACCESS_DENY;
   }
 
-  if ($op == 'update' && ($group = c4m_og_get_group_of_content($node)) && $node->type == 'wiki_page') {
-    if (!_c4m_features_og_members_is_power_user($group) && !c4m_content_wiki_page_is_editable_by_members($node)) {
-      return NODE_ACCESS_DENY;
+  // When updating published wiki page, allow access to group members,
+  // if 'editable by members' option is enabled for this page.
+  if ($op == 'update' && ($group = c4m_og_get_group_of_content($node)) && $node->type == 'wiki_page' && $node->status == NODE_PUBLISHED) {
+    if (_c4m_features_og_members_get_user_type($group) == 'member' && c4m_content_wiki_page_is_editable_by_members($node)) {
+      return NODE_ACCESS_ALLOW;
     }
   }
 
-  // Grant access to group content by the same access to the group.
-  if (is_object($node) && og_is_group_content_type('node', $node->type)) {
+  // When $node is string (happens when creating content), it contains the
+  // type of created content.
+  $node_type = is_string($node) ? $node : $node->type;
 
-//    // Couldn't resolve the group of the content.
-//    if (!$group = c4m_og_get_group_of_content($node)) {
-//      return NODE_ACCESS_IGNORE;
-//    }
-//
-//    if (c4m_og_get_group_status($group) != 'pending') {
-//      return NODE_ACCESS_IGNORE;
-//    }
-//
-//    $group_access = node_access($group, $op, $account);
-//
-//    return $group_access ? NODE_ACCESS_ALLOW : NODE_ACCESS_DENY;
-  }
+  // Handling group content bundles.
+  if (og_is_group_content_type('node', $node_type)) {
 
-  $node_type = is_string($node) ? $node : $node->type;
+    if ($op == 'view') {
+      // Couldn't resolve the group of the content.
+      if (!$group = c4m_og_get_group_of_content($node)) {
+        return NODE_ACCESS_IGNORE;
+      }
 
-  // When adding / editing group content, deny access, if current user is not a
-  // site admin, group member, owner or admin, or group state does not allow
-  // the operation.
-  if (in_array($node_type, c4m_og_get_group_content_bundles())) {
-    $allowed_user_types = array('member', 'admin', 'owner', 'site-admin');
-    $user_type = _c4m_features_og_members_get_user_type();
+      // Group content is saved as draft.
+      if ($node->status == NODE_NOT_PUBLISHED) {
 
-    if (!in_array($user_type, $allowed_user_types)) {
-      return NODE_ACCESS_DENY;
-    }
+        // Only power user or content author may view the node.
+        if (_c4m_features_og_members_is_power_user($group) || $node->uid == $user->uid) {
+          return NODE_ACCESS_ALLOW;
+        }
+        else {
+          return NODE_ACCESS_DENY;
+        }
+      }
 
-    $group = c4m_og_current_group();
-    $group_state = c4m_og_get_group_status($group);
-    $group_access = c4m_og_get_access_type($group);
-    $allowed_states = array('draft', 'published');
+      $group_access = node_access($op, $group, $account);
 
-    if ($group_access['type'] == 'restricted') {
-      $allowed_states[] = 'archived';
+      return $group_access ? NODE_ACCESS_ALLOW : NODE_ACCESS_DENY;
     }
+    // Handling Create / Update / Delete operations.
+    else {
 
-    if (!in_array($group_state, $allowed_states)) {
-      return NODE_ACCESS_DENY;
-    }
-  }
+      $user_type = _c4m_features_og_members_get_user_type();
+      // Can't resolve user type - couldn't get OG context to resolve group.
+      if ($user_type == 'unknown') {
+        return NODE_ACCESS_IGNORE;
+      }
 
-  // Allow access to group, based on group state and user role within the group.
-  if (is_object($node) && og_is_group('node', $node) && $node->type == 'group') {
-    // Allowed states for Public group Viewing.
-    $allowed_states = array(
-      'visitor' => array(),
-      'non-member' => array(),
-      'member' => array('archived', 'published'),
-      'admin' => array('draft', 'archived', 'published'),
-      'owner' => array('pending', 'draft', 'archived', 'published'),
-    );
+      // Visitors are not allowed to Create / Update / Delete content.
+      if ($user_type == 'visitor') {
+        return NODE_ACCESS_DENY;
+      }
 
-    $group_access = c4m_og_get_access_type($node);
+      // We allow access only for draft / published groups.
+      $group = c4m_og_current_group();
+      $group_state = c4m_og_get_group_status($group);
+      $allowed_states = array('draft', 'published');
 
-    if ($group_access['type'] == 'public') {
-      $allowed_states['visitor'] = $allowed_states['non-member'] = array('archived', 'published');
-    }
-    elseif ($group_access['type'] == 'restricted') {
-      // User is not a member, but cas access restricted group.
-      if (c4m_og_user_can_access_restricted_group($node, $account, $op)) {
-        $allowed_states['non-member'][] = 'published';
+      // Can't resolve group state, or group state is not allowed.
+      if (!$group_state || !in_array($group_state, $allowed_states)) {
+        return NODE_ACCESS_DENY;
+      }
+
+      // We allow access to power users, any member, when creating, and member
+      // that is also content author, when editing or deleting.
+      $allowed_user_types = array('admin', 'owner', 'site-admin');
+      if (in_array($user_type, $allowed_user_types)) {
+        return NODE_ACCESS_ALLOW;
+      }
+      elseif ($user_type == 'member') {
+
+        if ($op == 'create') {
+          return NODE_ACCESS_ALLOW;
+        }
+        else {
+          return ($node->uid == $user->uid) ? NODE_ACCESS_ALLOW : NODE_ACCESS_DENY;
+        }
       }
-      $allowed_states['member'][] = 'draft';
     }
-    elseif ($group_access['type'] == 'private') {
-      // Adjustments for allowed states of Private group Viewing.
-      $allowed_states['member'][] = 'draft';
+  }
+  // Handling group bundles.
+  elseif (og_is_group_type('node', $node_type)) {
+    if ($op == 'create') {
+      // Any authenticated user can create any kind of group.
+      return user_is_anonymous() ? NODE_ACCESS_DENY : NODE_ACCESS_ALLOW;
     }
+    else {
+      // Allowed states for viewing any kind of  group.
+      if ($op == 'view') {
+        $allowed_states = array(
+          'visitor' => array(),
+          'non-member' => array(),
+          'member' => array('draft', 'archived', 'published'),
+          'admin' => array('draft', 'archived', 'published'),
+          'owner' => array('pending', 'draft', 'archived', 'published'),
+        );
 
-    $user_type = _c4m_features_og_members_get_user_type($node);
-    $group_state = c4m_og_get_group_status($node);
+        $group_access = c4m_og_get_access_type($node);
 
-    if (!in_array($group_state, $allowed_states[$user_type])) {
-      return NODE_ACCESS_DENY;
+        if ($group_access['type'] == 'public') {
+          // Adjustments for allowed states of public group.
+          $allowed_states['visitor'] = $allowed_states['non-member'] = array('archived', 'published');
+        }
+        elseif ($group_access['type'] == 'restricted') {
+          // User is not a member, but can access restricted group.
+          if (c4m_og_user_can_access_restricted_group($node, $account, $op)) {
+            // Adjustments for allowed states of restricted group.
+            $allowed_states['non-member'][] = 'published';
+          }
+        }
+      }
+      // $op is Update or Delete.
+      else {
+        // GA and GO get access for draft and published groups.
+        // GO also gets access for pending groups.
+        $allowed_states = array(
+          'visitor' => array(),
+          'non-member' => array(),
+          'member' => array(),
+          'admin' => array('draft', 'published'),
+          'owner' => array('pending', 'draft', 'published'),
+        );
+      }
+
+      $user_type = _c4m_features_og_members_get_user_type($node);
+      $group_state = c4m_og_get_group_status($node);
+
+      return in_array($group_state, $allowed_states[$user_type]) ? NODE_ACCESS_ALLOW : NODE_ACCESS_DENY;
     }
   }
+  else {
+    // Content that is not OG. For example: article.
+  }
 
   return NODE_ACCESS_IGNORE;
 }
@@ -2486,7 +2528,7 @@ function c4m_og_is_invite_allowed($group_type, $gid) {
 
   // Either 'open' or 'moderated'.
   $group_moderation_state = c4m_og_get_group_membership_request($group);
-  $user_type = _c4m_features_og_members_get_user_type();
+  $user_type = _c4m_features_og_members_get_user_type($group);
   $group_access = c4m_og_get_access_type($group);
 
   // Group members can't invite to private group, or group that is moderated.

project/profiles/capacity4more/modules/c4m/og/c4m_og/plugins/entityreference/selection/C4MOgSelectionHandler.class.php

@@ -149,16 +149,21 @@ public function buildEntityFieldQuery(
       return $query;
     }
 
-    $unallowed_values = array(
-      'pending',
-      'archived',
-      'deleted',
-    );
+    $allowed_user_types = array('member', 'admin', 'owner', 'site-admin');
+    $user_type = _c4m_features_og_members_get_user_type();
+    // If user is not of type that can create the content, falsify the query.
+    if (!in_array($user_type, $allowed_user_types)) {
+      $query->propertyCondition($entity_info['entity keys']['id'], static::FALSE_ID, '=');
+      return $query;
+    }
+
+    $allowed_states = array('draft', 'published');
+
     $query->fieldCondition(
       'c4m_og_status',
       'value',
-      $unallowed_values,
-      'NOT IN'
+      $allowed_states,
+      'IN'
     );
 
     return $query;