User Invitation/Poking a user to a topic is now live!


(Tarak'ha) #30

I would like to know the answer to this too. Because I would rather users not be able to invite visitors into a restricted category topic.


(Tobias Eigen) #31

I am assuming nothing has changed as regards category access privileges. Only admins can invite and add people to non-public categories. (Just tested this - yes, regular users do not see the INVITE button on private categories they are in) So @purldator you can relax. :wink:

What @thomaspurchas has me thinking about is that I would love to be able to do is give some users (e.g. by TL) permission to invite others to specific topics in private categories even if they do not already have access to the group. This request comes up all the time in my community. E.g. we have a leadership team with their own private category that only they are allowed to access. Occasionally they start topics and want to pull someone else into the discussion who is not in the group just to that topic.

The INVITE feature would be ideal for this. They’d be informed upon inviting them that the invitee will only get access to the topic, not the whole category. That another user has access would probably also have to be indicated somewhere in the topic, perhaps at the top next to category/tags?


(Jeff Atwood) #32

Topic level permissions do not exist in Discourse, what you describe is impossible.

If you invite someone to a restricted topic, you would be permanently adding them to the group that has access to that category.


(Tobias Eigen) #33

Yup - I’m aware that this is the way it works now. What I was dreaming about was how great it would be to have topic-level permissions.


(Jeff Atwood) #34

I feel that allowing one off topic access to an individual in a secure category is quite weird and prone to a lot of problems, even if it did exist.


(Thomas Purchas) #35

I was under the impression that this was just a ping feature (assuming the use of usernames), and that is all it ever would be.

The idea of inviting people to a private topic has come up a few times. But @sam and @codinghorror have always been a bit unhappy with the idea, for a number of good reasons (check the thread for details).


(Jeff Atwood) #36

@techapj we need a better way of handling this for tl2 users. Maybe just never show invite on any topic in a private category to a non staff member. Staff members can send invites that add people to the necessary group, but there is no way a non staff member should have that ability.

We did talk about having a “group owner” who has the right to add people to their group. I suppose this person could also invite users to a private topic if it was a group they owned.


(Kane York) #37

Here’s the current logic for whether to show the invite button, for reference.

  def can_invite_to?(object, group_ids=nil)
    return false if ! authenticated?
    return false unless ( SiteSetting.enable_local_logins && (!SiteSetting.must_approve_users? || is_staff?) )
    return true if is_admin?
    return false if ! can_see?(object)

    return false if group_ids.present?

    if object.is_a?(Topic) && object.category
      if object.category.groups.any?
        return true if object.category.groups.all? { |g| can_edit_group?(g) }
      end
      return false if object.category.read_restricted
    end

    user.has_trust_level?(TrustLevel[2])
  end

(Thomas Purchas) #38

I was kinda hoping that there would be a ping feature that would let you notify users about a topic, assuming that they had permission to view it.

That’s what I thought this feature was, an @mention without the need to create a post, or munge a name into a sentence.


(Tarak'ha) #39

That is different than allowing users to open the door for visitors and unauthorized users the administrator doesn’t know into a restricted category.

I think that would be solved by keeping the ‘invite’ button active on topics in a restricted category but instead query the username being poked and see if they have access. If they do, the poke is successful. If not, it returns an error to the poker. Inviting visitors via email from the outside isn’t available in any measure.


(Thomas Purchas) #40

The error shouldn’t be fatal so that you can still invite groups of people simultaneously without have to make sure that everyone has permissions. (That may already be true with the rate limiting error)


(Tarak'ha) #41

Whole #groups, probably not. A small unique list of users? Depends if a poker can add names one at a time. I haven’t had a chance to test the new poke/invite feature yet. But I can see it similar in ux/ui with how a user adds categories to their Watched/Tracked/Muted lists in user prefs.


(Thomas Purchas) #42

The invite box already allows the use as @groups as aliases (i.e. enter an @group and it will expand out to its members).

Looking at the commit history, this appears to be a deliberate feature that was added after the first release of the poke feature.


(Tarak'ha) #43

If so then there has to be a permissions check already built in. And then again, if so* (which I sincerely hope it does) then it can make a silent/soft error or a fatal one, or something in between.

*I’d check but I’m procrastinating on a server build. :sweat_smile:


(Jeff Atwood) #44

That is what it is. People are trying to pervert it into a permission grant.


(Thomas Purchas) #45

I have to admit that mixing a ping feature with an invite feature is a tad confusing. I understand that they both invite people to things, either the forum or the thread. But they are very different.

The email invite sends a notification email, and potentially gives the new user a selection of permissions (via groups) they wouldn’t get through a normal sign up.

This new invite feature operates entirely internally. It neither signs people up, or gives them permissions. Could I suggest that maybe it gets it’s own button e.g. “Mention”, “Inform [User]”, “Alert [User]” or perhaps add the functionality to the share button.

I’m having difficulty describing it, but it feels like this feature only ended up on the “Invite” button because the verb describes it quite well, not because it’s a similar feature or fits in the same logical grouping. Also moving it away from the “Invite” button makes it clear that nothing that special happens when you use the feature.


(Michael Downey) #46

This is the logical place for it.


(Mittineague) #47

There’s enough room here, though I don’t know if for some sites it might already be cramped real estate. And I’m sure a better FontAwesome icon could be used.


(Jeff Atwood) #48

If it walks like a duck and it quacks like a duck…

It is an identical action, “hey check out this totally rad topic!”, whether the user has an account on the site or not is irrelevant.


(Thomas Purchas) #49

To me that also perfectly describes what the share button is for.

On my site we have SSO enabled so the invite button never appears. Now the invite button has appeared, and it’s functionality could easily be descirbed by the share button I.E. “Here’s this totally rad topic that I want to share with you”.