Acceptance and rejection of invitations to groups

Is a same feature request as that of http://drupal.org/node/1839062#comment-6738084.

I reopened this issue because the issue linked in #1 is originally about inviting existing users so we better keep those discussions separatet.
The original idea of this module is to create a user and invite him to the group so he just needs to click the one-time login link and he's logged in and already a member. Without the registration process.
One option to solve this is to set the user status to "blocked" and unblock would be done when user uses the one-time login link for the first time.
This issue can be active and we can discuss what's the best solution and then write a patch for it.

I was thinking of two solutions as
1) By default set the membership status as pending when admin adds the user. Register one more hook menu which will be link to the user to accept the request and is send as a mail to the user. When user opens the link he is shown some message and has two buttons, accept or decline. If accepts then we change the membership status to active if he declines the request then we delete the member from og.

2) Write a own request schema which keeps track of request send, accepted, and declined. Here the accept and decline may happen in the same way as in method 1. Later may be we can integrate this with views to provide a views as a report of admins who accepted or declined the request. Thinking of extending the module. Please update me what you think about it or if you have any other solution.

Thanks,
Sadashiv.

Sadashiv,

Option 1 makes more sense with this module
Option 2 is an overkill for this module and would make more sense to bend Invite module or write a module to link OG 7.x-2.x and (fresh entity based) Invite 7.x-4.x

I made this patch on latest code. If you have applied the patch at http://drupal.org/node/1839062#comment-6736708 or module is older than 16 Nov. then this patch might fail. Try this patch on fresh copy of this module.

The patch adds the user with status pending to the og and sends a additional mail to the user having a link which can be used by the user to accept or decline the request. If user accepts then his membership status is changed to active and if user declines then membership is deleted. Please update me if we have more ideas. I made this patch keeping in mind that we would implement invite feature for existing users too hence have written hook_mail.

Flush caches so that menus get rebuild.

Hth,
Sadashiv.

Integrating with Rules may be great for these events, eg accept and reject events.

Yes, I think rules integration can be made for events like user accepted request or denied the request. This feature request was for sending a mail to user to accept the request or deny the request which is fixed when applied patch in #5. If you want rules integration as a feature request, may be you should open other issue.

Thanks,
Sadashiv.

Sadashiv, thanks for the patch. I will review it in the next days and commit it to dev if all ok.

A complete patch for this feature and additional improvements is attached at http://drupal.org/node/1848436#comment-6846090

Thanks,
Sadashiv.

I agree with comments #7 and #8 above that rules integration would be a good way to solve this issue.

Attached is a patch that provides rules integration, including some default rules to email invitations.

It also includes direct link accept or decline paths because they might be useful in some cases rather than linking to a form and then selecting accept or decline. e.g. og_invite_people/membership_request/123/accept or og_invite_people/membership_request/123/decline

The reason why I needed the rules integration is because with the patch from #10 the user must login before they can accept an invitation, so if they are not yet a member of the site then they need to be sent their account details. If I were being invited to a join a site then I would not expect to receive account details before I have accepted the invitation.

So to meet my needs I am using the tokenauth module to allow an invited user to accept an invitation without having to login
e.g. I altered the rule to email a link like this og_invite_people/membership_request/123/accept?token=123456789
Then with the user_accepted_invitation rules event I can send the user their account details after they have accepted the invitation. Optionally I could also use the user_declined_invitation rules event to delete the user account.

Note: The default rules provided with this patch send both the account details and the invitation at the same time because I didn't want to force a dependency on tokenauth. My use case above is just an example of what you can do with your own rules.

The rule events expose details of the group to rules, so the group name can be included in invitation emails. This will hopefully meet the needs of #1848436: Visibility of groups into which people were invited

This patch also includes the patch from http://drupal.org/node/1839062#comment-6940606 where I'd started the rules integration.

Update: requires latest dev of rules due to #812058: add token support for non-entities

As far as I can see the patch referenced in #10 (I'm looking at http://drupal.org/files/og_invite_people-1848436-6807864.patch) is insecure.

A user with only request group access permission could request group membership, then navigate to og_invite_people/membership_request/{easily guessable og_membership id} and upgrade their access.

I like the idea of creating users with pending access and then giving the option to promote at first login, but there are some bridges to cross first.

The email needs to be user friendly, asking them to click two links is in order is not helpful.

This needs to be secure. Our promotion page needs to have some kind of token based check, similar to user_pass_rehash(). We will have to provide some kind of 'key' somewhere in the email that provides you with membership to the group. It will also have to be time sensitive with an expiry time.

I'm still not sure on how that would work, because I think we would have to persist our an invite key to the og_membership, perhaps as a field on the entity?

It's worth thinking about, this is an important issue, we need to make sure that we get it right.

For reference, this is the block I specifically refer to:

+  if ($og_membership->entity_type != 'user' || $og_membership->etid != $GLOBALS['user']->uid || $og_membership->state != OG_STATE_PENDING || !$group || !og_is_group($og_membership->group_type, $group)) {
+    drupal_set_message(t('Sorry, this invitation was not sent to you.'), 'warning');
+    drupal_goto();
+  }

Attached is a module that provides acceptance or rejection of invitations to groups.

This uses the og_invite_people rules support provided by the patch on #2458901: Rules Support

This provides urls for accepting or rejecting the invitation and provides alternative default emails which include these links.

The email text can be overridden with rules config.

A user account is not created until an invitation is accepted. Similarly, if inviting an existing user they are not added to the group until they have accepted the invitation.

If a user possesses the invitation link (which has a secure token) they can accept the invitation, even if they already have an account under a different email address.

This could be included as part of og_invite_people, as a submodule or a separate contrib module. Personally I think this would be better default behaviour for og_invite_people but I am open to suggestions on how to proceed.