search

mpociot / teamwork

User to Team associations with invitation system for the Laravel 5 Framework
MIT License
1.07k stars 170 forks source link

Restrict invite, see pending and see team to owner #50

Closed lukasoppermann closed 2 years ago

lukasoppermann commented 8 years ago

Hey,

maybe it would be good to have some configurations (maybe on a per team basis even) to restrict the invite, pending and see members methods to the owner only. Or specific members?

Maybe there could be a canInvite(), canSeeMemembers(), canSeePending() method, which by default just checks for the owner but could be customized with any logic (e.g. when using a permission system).

This idea is still a bit hazy, but if you think it is interesting I will put some more thought into it (or maybe you already have a very clear idea of it).

mpociot commented 8 years ago

Hm. I think that this is more part of the implementation logic you would need to provide. So when you allow in your application to invite others, you would need to check against that anyways. How do you think this would be beneficial for this package to simplify things?

Lukas Oppermann notifications@github.com schrieb am Fr., 26. Aug. 2016, 11:50 vorm.:

Hey,

maybe it would be good to have some configurations (maybe on a per team basis even) to restrict the invite, pending and see members methods to the owner only. Or specific members?

Maybe there could be a canInvite(), canSeeMemembers(), canSeePending() method, which by default just checks for the owner but could be customized with any logic (e.g. when using a permission system).

This idea is still a bit hazy, but if you think it is interesting I will put some more thought into it (or maybe you already have a very clear idea of it).

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mpociot/teamwork/issues/50, or mute the thread https://github.com/notifications/unsubscribe-auth/AAxHTEOZE019pjLtIE6oLzcOYEQrIkFAks5qjrb8gaJpZM4Jt6xc .

lukasoppermann commented 8 years ago

Well, firstly if the Teamwork Model would have this methods it would provide a default case.

Lets say there are configs like 'restrict_invite' => true, if set to true the canInvite($user) default implementation would check if the user who is currently trying to run the inviteToTeam() method is the owner of the team. I think this use case is very common, you see it on nearly every page, e.g. github itself lets only special people invite people to a team.

If I need different checks, e.g. every user with permission invite-to-team can invite people, I can just overwrite the check within the canInvite($user) method to check for the given permission myself. However, I do not have to implement the logic to throw an exception, or whatever, etc. if the canInvite($user) method returns false.

I hope you see how this can make it much easier.

I think a verification would be part of this package, while of course now showing something, etc. would be part of the logic.

I guess seeing pending & members is possible not something that needs to be restricted by the package itself, as it is solely a show method and does change stuff.

However Invite is similar to delete as in, it changes the state of the team, thus I think it should be controlled.