Issue #3490462: Revoke "Join group" and "request group membership" fr…

…om Authenticated (outsider) group role.

modules/social_features/social_group/modules/social_group_flexible_group/config/install/group.role.flexible_group-outsider.yml

@@ -13,7 +13,6 @@ group_type: flexible_group
 permissions:
   - 'access comments'
   - 'access posts in group'
-  - 'join group'
   - 'update own group_node:event entity'
   - 'update own group_node:topic entity'
   - 'view group'

modules/social_features/social_group/modules/social_group_flexible_group/social_group_flexible_group.install

@@ -7,6 +7,7 @@
 
 use Drupal\Core\Config\FileStorage;
 use Drupal\group\Entity\GroupInterface;
+use Drupal\group\Entity\GroupRoleInterface;
 use Drupal\group\GroupMembership;
 use Drupal\social_group\Entity\Group;
 use Drupal\user\Entity\User;
@@ -331,3 +332,37 @@ function social_group_flexible_group_update_130008(): void {
     ->set('content', $content)
     ->save();
 }
+
+/**
+ * Implements hook_update_dependencies().
+ */
+function social_group_flexible_group_update_dependencies(): array {
+  // Ensure configurations updates runs after the social group request
+  // permissions update.
+  $dependencies['social_group_flexible_group'][130009] = [
+    'social_group_request' => 13003,
+  ];
+
+  return $dependencies;
+}
+
+/**
+ * Revoke permissions for Authenticated (outsider) group role.
+ */
+function social_group_flexible_group_update_130009(): void {
+  $group_authenticated_role = \Drupal::entityTypeManager()
+    ->getStorage('group_role')
+    ->load('flexible_group-outsider');
+
+  if ($group_authenticated_role instanceof GroupRoleInterface) {
+
+    if ($group_authenticated_role->hasPermission('join group')) {
+      $group_authenticated_role->revokePermission('join group')->save();
+    }
+
+    if ($group_authenticated_role->hasPermission('request group membership')) {
+      $group_authenticated_role->revokePermission('request group membership')->save();
+    }
+  }
+
+}

modules/social_features/social_group/modules/social_group_flexible_group/src/Subscriber/Route.php

@@ -57,6 +57,7 @@ protected function alterRoutes(RouteCollection $collection) {
         $route->addRequirements($requirements);
       }
     }
+
   }
 
 }

modules/social_features/social_group/modules/social_group_invite/src/Controller/SocialGroupInvitationOperations.php

@@ -61,9 +61,10 @@ public function accepted(Request $request, GroupRelationshipInterface $group_con
    */
   public function checkAccess(GroupRelationshipInterface $group_content) {
     $invited = $group_content->getEntityId();
+    $group = $group_content->getGroup();
 
     // Only allow user accept/decline own invitations.
-    if ($invited == $this->currentUser()->id()) {
+    if ($invited == $this->currentUser()->id() && $group->hasPermission('join group', $this->currentUser())) {
       return AccessResult::allowed();
     }
     return AccessResult::forbidden();

modules/social_features/social_group/modules/social_group_request/social_group_request.install

@@ -5,6 +5,8 @@
  * Install/Uninstall/Update hooks for social_group_request module.
  */
 
+use Drupal\group\Entity\GroupRoleInterface;
+
 /**
  * Implements hook_install().
  */
@@ -40,11 +42,11 @@ function social_group_request_update_dependencies(): array {
  */
 function _social_group_request_set_permissions(): void {
   if (\Drupal::moduleHandler()->moduleExists('social_group_flexible_group')) {
-    /** @var \Drupal\group\Entity\GroupRoleInterface $outsider */
-    $outsider = \Drupal::entityTypeManager()
+    /** @var \Drupal\group\Entity\GroupRoleInterface $verified */
+    $verified = \Drupal::entityTypeManager()
       ->getStorage('group_role')
-      ->load('flexible_group-outsider');
-    $outsider->grantPermission('request group membership')->save();
+      ->load('flexible_group-verified');
+    $verified->grantPermission('request group membership')->save();
 
     /** @var \Drupal\group\Entity\GroupRoleInterface $group_manager */
     $group_manager = \Drupal::entityTypeManager()
@@ -105,3 +107,51 @@ function social_group_request_update_13002(): void {
     ->load('flexible_group-group_manager');
   $group_manager->grantPermission('administer membership requests')->save();
 }
+
+/**
+ * Re-grant "request group membership" permission.
+ */
+function social_group_request_update_13003(): void {
+  $permission = 'request group membership';
+  $groups_bundle_info = \Drupal::service('entity_type.bundle.info')->getBundleInfo('group');
+
+  foreach ($groups_bundle_info as $bundle => $bundle_info) {
+    $group_authenticated_roles = \Drupal::entityTypeManager()
+      ->getStorage('group_role')
+      ->loadByProperties([
+        'scope' => 'outsider',
+        'global_role' => 'authenticated',
+        'group_type' => $bundle,
+      ]);
+
+    $group_authenticated_role = $group_authenticated_roles ? current($group_authenticated_roles) : NULL;
+
+    $group_verified_roles = \Drupal::entityTypeManager()
+      ->getStorage('group_role')
+      ->loadByProperties([
+        'scope' => 'outsider',
+        'global_role' => 'verified',
+        'group_type' => $bundle,
+      ]);
+
+    $group_verified_role = $group_verified_roles ? current($group_verified_roles) : NULL;
+
+    // If Group type doesn't have Verified (outsider) group role we should grant
+    // permission to Authenticated (outsider) group role, otherwise - revoke
+    // from Authenticated and grant to Verified group role.
+    if ($group_authenticated_role instanceof GroupRoleInterface &&
+      !$group_authenticated_role->hasPermission($permission)
+    ) {
+      $group_authenticated_role->grantPermission($permission)->save();
+    }
+
+    if (
+      $group_verified_role instanceof GroupRoleInterface &&
+      !$group_verified_role->hasPermission($permission)
+    ) {
+      $group_verified_role->grantPermission($permission)->save();
+    }
+
+  }
+
+}

modules/social_features/social_group/modules/social_group_request/src/SocialGroupRequestConfigOverride.php

@@ -87,19 +87,6 @@ public function loadOverrides($names) {
     $outsider_role_configs = [];
     foreach ($social_group_types as $social_group_type) {
       $default_form_display_configs[] = "core.entity_form_display.group.{$social_group_type}.default";
-      $outsider_role_configs[] = "group.role.{$social_group_type}-outsider";
-    }
-
-    foreach ($outsider_role_configs as $config_name) {
-      if (in_array($config_name, $names)) {
-        $config = $this->configFactory->getEditable($config_name);
-        $permissions = $config->get('permissions');
-        $permissions[] = 'request group membership';
-
-        $overrides[$config_name] = [
-          'permissions' => $permissions,
-        ];
-      }
     }
 
     foreach ($default_form_display_configs as $config_name) {

modules/social_features/social_group/src/Controller/SocialGroupInvitationController.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Drupal\social_group\Controller;
+
+use Drupal\Core\Access\AccessResult;
+use Drupal\ginvite\Controller\InvitationOperations;
+use Drupal\group\Entity\GroupRelationshipInterface;
+
+/**
+ * Handles Accept/Decline operations and Access check for Social groups.
+ */
+class SocialGroupInvitationController extends InvitationOperations {
+
+  /**
+   * {@inheritDoc}
+   */
+  public function checkAccess(GroupRelationshipInterface $group_content): AccessResult {
+    $result = parent::checkAccess($group_content);
+    $group = $group_content->getGroup();
+
+    if (!$group->hasPermission('join group', $this->currentUser())) {
+      AccessResult::forbidden();
+    }
+
+    return $result;
+  }
+
+}

modules/social_features/social_group/src/Routing/RouteSubscriber.php

@@ -4,6 +4,7 @@
 
 use Drupal\Core\Routing\RouteSubscriberBase;
 use Drupal\social_group\Controller\SocialGroupController;
+use Drupal\social_group\Controller\SocialGroupInvitationController;
 use Symfony\Component\Routing\RouteCollection;
 
 /**
@@ -57,6 +58,14 @@ protected function alterRoutes(RouteCollection $collection) {
       );
     }
 
+    // Do not allow to accept invitation without "join group" permission.
+    if ($route = $collection->get('ginvite.invitation.accept')) {
+      $route->setRequirement(
+        '_custom_access',
+        SocialGroupInvitationController::class . '::checkAccess',
+      );
+    }
+
   }
 
 }