Checklist
Suggestion
Opening this issue so as to document the way we currently approach user group related "add user" functionality and provide some suggestions on how we can improve on it for both existing and upcoming module features.
The limitation I'm about to describe is currently exclusively related to the Chat module's chat group feature, but should soon start affecting Authentication once its own user groups feature gets released.
As of right now, user authenticated application requests for creating a chat room and adding additional users to it unilaterally add target users to the group without any way for them to accept or decline this action.
While administrators should definitely be capable of operating in such a way, normal user requests should ideally be inviting other users to a group instead.
Automatically adding others into a group can not only end up being frustrating, depending on the app, but may also end up getting exploited by malicious users spamming such requests.
We would be retaining the existing functionality for apps that are best suited for it through a configuration option of course.
Adding users to a group, in the default configuration, should ideally send them an invitation for them to accept or decline.
We should also be sending out socket events for this so that client apps can pick these up in real time.
The very same considerations should be taken into account while implementing Authentication's user groups feature.
If we wish to take this up a notch at some point down the line we could make it so users' connections of sorts can be allowed to automatically add them to groups or even let users themselves configure their own preferences, but offering simple module configurations for it would be more than enough for most use cases and definitely not overkill.
Checklist
Suggestion
Opening this issue so as to document the way we currently approach user group related "add user" functionality and provide some suggestions on how we can improve on it for both existing and upcoming module features.
The limitation I'm about to describe is currently exclusively related to the Chat module's chat group feature, but should soon start affecting Authentication once its own user groups feature gets released.
As of right now, user authenticated application requests for creating a chat room and adding additional users to it unilaterally add target users to the group without any way for them to accept or decline this action.
While administrators should definitely be capable of operating in such a way, normal user requests should ideally be inviting other users to a group instead.
Automatically adding others into a group can not only end up being frustrating, depending on the app, but may also end up getting exploited by malicious users spamming such requests.
We would be retaining the existing functionality for apps that are best suited for it through a configuration option of course.
Adding users to a group, in the default configuration, should ideally send them an invitation for them to accept or decline.
We should also be sending out socket events for this so that client apps can pick these up in real time.
The very same considerations should be taken into account while implementing Authentication's user groups feature.
If we wish to take this up a notch at some point down the line we could make it so users' connections of sorts can be allowed to automatically add them to groups or even let users themselves configure their own preferences, but offering simple module configurations for it would be more than enough for most use cases and definitely not overkill.