Hi there, my scenario is the following:
I have an app in which a user creates a group and creates documents to be shared with others in his group. He can invite other people to his group.
Since he does not know the other users id (which has not yet been created), how can he add non existing users to be able to access his documents and channels? I obviously do not want everyone to be able to see every groups documents. What is a good way to implement such a scenario?
Hi @poochie89,
Can you expand a bit more on the use case where the users are not created yet?
Provided that users already exist, you could store the user documents in a profiles channel that every user (or only admin users) have access to. Then, the user can invite other users to his group by adding the corresponding user ids to the group document.
Todolite follows this pattern and in the sync function all users have access to the profiles channel. This way, a user can give other users access to a channel through the members property on the List document.
James
1 Like
Hi james,
i already have gone over the todo demo app. However in my case this approach is not ideal.
The way i would like it to implement is the following: i am in a group and want a to add a friend of mine to the same group. My friend does not have the app installed at the moment.
I want to send him a code or password (by messaging or mailing for example) with which he can get access to my group (after he logged in into the app using his own credentials). Something like this would be ideal.
Thanks for your help,
Johannes
Ok thanks for the info. You could perhaps add an invite-group type of document. All those documents would be in the public channel, named ! in the sync function.
The _id property of that document would be the invite code and it would also hold the channels with the channel names to give access to once registered.
When a new user registers with the invite code, check the validity by making a GET /:db/:invitecode request to Sync Gateway (api). If the document exists, you get back the content and use the channels property to get access to the group channel.
If it’s a 404, then the invitation code is invalid.
Would that solution work better for the scenario you described?
This actually seems like a good solution.
The only thing im worried about is if this is secure? Using this, couldn’t everybody modify all documents? Users should only be able do modify documents if they are in the group.
My idea is the following:
A group document stores all the groups member ids and is pushed to the server.
A users who is already in the group creates a document with a code and his group id in it of type group_invite, which is pushed.
Another user registers, and creates a document of type group_register with the code in it, the sync gateway sync function checks if there is a group_invite document available with that code. If so the group_register users id is added to the group document members property. If not the an error is thrown and the client can show a message that such a invitation code is not found.
The synch function always checks
Am i missing something here?
Only the invite-group documents would be in the public channel. But I understand that the channel names would be immediately returned if the GET /:db/:invitecode request is valid which may not be desired.
I’m not sure how you would check that there is a group_invite document available with that code in the sync function. While processing a document, the sync function can’t access other documents.
However, that could a be a good use case for using a web hook for adding additional logic to fetch the group_invite doc.
Here’s the webhook documentation and it’s available in the Developer Preview of the 1.1 release.
I thought there was maybe a way to access other documents from the sync function. Using your technique users could basically add themselves to groups. I have to decide if that is something i should allow. I dont want some bad guy deleting all my data 
.
I will look into the webhooks, to bad its in dev prev. Maybe i should just add some server logic using node.js or somthing?
Yes, you can add server-side logic using the changes feed.
The upcoming webhook api is an abstraction layer over the changes feed to make it easier to work with. Just register a url to POST to and a filter function for when it should trigger, perform some logic to validate the invite code and write back the results to Sync Gateway via the REST api.