feat: Add the possibility to create invitation links to circles#2254
feat: Add the possibility to create invitation links to circles#2254Koc wants to merge 1 commit into
Conversation
8301408 to
a89bf72
Compare
baffcc3 to
af15456
Compare
af15456 to
018eea9
Compare
018eea9 to
08b6110
Compare
213cfc1 to
b01cd7a
Compare
| $initiatorHelper = new MemberHelper($circle->getInitiator()); | ||
| $initiatorHelper->mustBeAdmin(); | ||
|
|
||
| $new = clone $circle; |
There was a problem hiding this comment.
Why is it needed to clone the circle object?
There was a problem hiding this comment.
I've just inspired from already existent verify method implementations:
circles/lib/FederatedItems/CircleConfig.php
Line 128 in 6c37964
- ...
| * | ||
| * @throws InvalidIdException | ||
| */ | ||
| public function replace(CircleInvitation $circleInvitation): void { |
There was a problem hiding this comment.
Could there be multiple invitation per circle? If so, shouldn't we delete a specific invitation, and not all of them?
There was a problem hiding this comment.
not now. In theory we can add that, but in this case we need rework UI and introduce something like "invitation link name" to distinguish links.
I would like to start with something really simple and improve it later
| $qb->limitToInitiator(CoreQueryBuilder::CIRCLE, $initiator); | ||
| $qb->orderBy($qb->generateAlias(CoreQueryBuilder::CIRCLE, CoreQueryBuilder::INITIATOR) . '.level', 'desc'); | ||
| $qb->addOrderBy(CoreQueryBuilder::CIRCLE . '.display_name', 'asc'); | ||
| $qb->leftJoinCircleInvitation(CoreQueryBuilder::CIRCLE); |
There was a problem hiding this comment.
Shouldn't we join only if $probe->hasInvitationCode() === true?
bac0d4e to
524ff22
Compare
524ff22 to
63d11c0
Compare
63d11c0 to
23a9469
Compare
I can't use |
cb5808c to
c1227d7
Compare
Signed-off-by: Kostiantyn Miakshyn <molodchick@gmail.com>
c1227d7 to
ab2ab91
Compare
| } catch (MemberNotFoundException) { | ||
| if (!$circle->isConfig(Circle::CFG_OPEN)) { | ||
| $allowedToJoin = $invitationCode && $circle->getCircleInvitation()?->getInvitationCode() === $invitationCode; | ||
| if (!$circle->isConfig(Circle::CFG_OPEN) && !$allowedToJoin) { |
There was a problem hiding this comment.
since invitationCode is returned in GET ocs/v2.php/apps/circles/circles, that would mean every member of the circle, regardless of membership level, can see the code, right? So in the following scenario:
circle_abcdoes not haveCircle::CFG_OPENenabled- a member of
circle_abcgets theinvitationCodefrom the response (network tab) - shares the code with john
- john uses it to call
POST ocs/v2.php/apps/circles/invitations/{invitationCode}
when reaching this if statement, $allowedToJoin would resolve to true, so even though the circle isn't open, john would be able to bypass the config and join it, no?
| try { | ||
| $this->setCurrentFederatedUser(); | ||
|
|
||
| $outcome = $this->circleService->createInvitation($circleId); |
There was a problem hiding this comment.
shouldn't this only be reachable by members with certain levels (e.g. admin, owner)? as it is right now, seems like anyone can create invitations
you can see on other methods of this controller how permissions are handled, for example here:
https://github.com/nextcloud/circles/blob/master/lib/Controller/LocalController.php#L423
| try { | ||
| $this->setCurrentFederatedUser(); | ||
|
|
||
| $outcome = $this->circleService->revokeInvitation($circleId); |
There was a problem hiding this comment.
same as createInvitation()

This PR adds possibility to generate invitation link (even for completely hidden/closed Circles). Any user is able to join to the circle by opening this link.
Dependencies