No way to view status or cancel outstanding owner invitations #2868
Comments
|
Related: invitations never expire (#2869) |
Turbo87
added
C-enhancement ✨
mirage: Implement `crate_owner_invitations` endpoints This should simplify implementing #2868 in the future :)
|
Opened #3763 to provide the required data to the frontend. Once that's merged, the frontend needs to display the data and the backend needs to authorize crate owners to decline invitations on their crate. Note that to prevent abuse the endpoint doesn't publicly expose invitations. An invitation is going to be accessible through the API only if you're authenticated and you're the invited person or an owner of the affected crate. |
|
A one use case such privacy prevents is detailed listing of all owners by |
|
When it comes to supply-chain, you also don't know who the current owners may invite tomorrow. I think a pending invitation is not so different, just a step closer, as the invited person is not an owner yet. |
…bo87
Add the `/api/private/crate-owner-invitations` endpoint
The endpoint provides a listing of all the invitations sent to the current user or all the invitations to a crate the user owns. Unauthenticated users or unrelated users won't be able to see others' invitations to prevent abuses.
The two ways to query the endpoint are:
GET /api/private/crate-owner-invitations?crate_name={name}
GET /api/private/crate-owner-invitations?invitee_id={uid}
The endpoint is paginated using only seek-based pagination, and the next page field is provided when more results are available.
Once the frontend switches to use the new endpoint we can remove safely remove the old "v1" endpoint, as that's only used for the frontend. Because of this, the "v1" endpoint internally uses the same logic as the new one and converts the data to the old schema.
Part of #2868
r? `@Turbo87`
…bo87
Add the `/api/private/crate-owner-invitations` endpoint
The endpoint provides a listing of all the invitations sent to the current user or all the invitations to a crate the user owns. Unauthenticated users or unrelated users won't be able to see others' invitations to prevent abuses.
The two ways to query the endpoint are:
GET /api/private/crate-owner-invitations?crate_name={name}
GET /api/private/crate-owner-invitations?invitee_id={uid}
The endpoint is paginated using only seek-based pagination, and the next page field is provided when more results are available.
Once the frontend switches to use the new endpoint we can remove safely remove the old "v1" endpoint, as that's only used for the frontend. Because of this, the "v1" endpoint internally uses the same logic as the new one and converts the data to the old schema.
Part of #2868
r? `@Turbo87`
After inviting someone to be an owner of a crate there is no way to see the status of this invitation, other than remembering you sent the invitation and querying owners to see whether they have accepted it. Also, until the invitation is accepted there is no way to cancel/revoke the permission, so if at some point after sending you realise the invited user is untrustworthy, there is no way to stop them from accepting the invite and removing your ownership permission.
The text was updated successfully, but these errors were encountered: