Sign in Get started

This episode is for members only

Sign up to access "Laravel Teams" right now.

Already a member? Sign in to continue

Playing

24. Revoking invitations

Episodes

0%

Your progress

Total: 4h 36m
Played: 0m
Remaining: 4h 36m

Join or sign in to track your progress

01. Introduction and demo

02. Setup with Pest

03. Building the user teams relations

04. Creating a personal team when registering

05. Leaving all teams when an account is deleted

06. Tracking the current team

07. Showing team details in the UI

08. Switching to another team

09. Authorising team switching

10. Updating a team name

11. Basic roles and permissions setup

12. Team roles and permissions middleware

13. Authorising current team updates

14. Testing team permissions through HTTP requests

15. Leaving a team

16. Displaying team members

17. Making team members look better

18. Removing a team member

19. Preventing self removal from a team

20. Storing invitations

21. Validating invitations

22. Authorising team invitation creation

23. Displaying invitations

24. Revoking invitations

25. Sending an invitation email

26. Accepting an invitation

27. Displaying a modal to change a member’s role

28. Updating a member’s role

29. More authorisation and checks for role changing

30. Fixing up the email sending test details

31. Fixing and validating email addresses for invites

32. Tidying up @can directive checks

33. Detaching roles when removing users

34. Adding an extra layer of protection to the team middleware

35. Getting related models through teams

36. Building a helper to access the current team

37. Getting all related models through all teams

38. Creating new teams

Transcript

00:00

So to revoke an invite let's start with the permission to do this. Again you don't need

00:04

to necessarily do this but if we come over to our admin role cedar let's go ahead and add in a specific permission to revoke an invite in here or invitation let's call this. Obviously you don't need to do this you could just do this under the entire permission to invite to team but if you wanted them a little bit more granular you can add this in here. Okay let's go ahead and see that in

00:26

the database so we have that in there and let's go ahead and add the ability to revoke an invitation. So obviously if we have permission to revoke we're only going to see this drop down if that's the case so let's say can revoke invitation or revoke invite we'll change that over if we need to and let's say end can there now we haven't even created this in our policy yet but we can just

00:51

very quickly map that out so let's go over to our team policy and let's create out as we we're using invites so let's create out revoke invite in here taking the user in here and we could take in the team as well to test that but let's go ahead and just use the simple user can and let's check that permission which we called and let's check what we call that revoke

01:22

invitation so let's just copy that over to our team policy. Okay great so we should as part of this admin be able to revoke this we don't see that at the moment so let's have a look at what we have done here yeah we've just not passed the team in so let's pass the invite team into there and let's make sure it's part of our team invite that's part of a team great so that should work

01:54

now and we should be able to see that perfect now one thing that we can do and we'll be doing this a little bit later is we don't want to show this entire drop down if we can't do any of the actions inside of here so because we're just working with a single one in here it doesn't matter but if we can't revoke an invite obviously we don't want to show this entire drop down because there

02:14

are no actions that we can take so we can actually use can any for this so we can pass through revoke invite and as part of this we can pass the second argument any of the options that go through to here so basically can we do any of the actions that are inside of here let's end that can any and just pull that in and let's just pull all of this up and that should just get rid of the

02:38

entire drop down if we don't have permission to do this okay let's just see why this is not working yeah team so that needs to be invite team and we should be good now don't worry too much about that we'll come back to that later with this because if we don't have permission to change the team member role when we get to that or we don't have permission to remove this user from a team then

02:57

we'll get rid of this entire drop down using the same can any directive okay so when we click on revoke invite we just basically want to delete it from the database so let's go down here and let's register our root we're going to do this directly in the team invite controller so let's open that up and let's create out a destroy method in here so let's pull in our request

03:23

switch that over in a bit and we want to take in the team that this is for but we also want to take in the team invite as well so we can get rid of that so let's call that team invite and again let's just die dump here on the team invite or any of these items we'll hook this up to this form so we want to go ahead and have the ability to delete a team invite within a team and we can use root

03:50

model binding for the team invite as well you could even go ahead and accept the token in as this but i'm just going to do this as an id and you can change this up later so let's go ahead and reference the destroy method and change this to destroy and then we can grab the name of this and hook this up to the form so pretty much everything we've already done okay so inside of

04:09

here let's go and get rid of the href here which we're not going to need let's create out a form here which goes through to that root and remember we're going to need in here the team itself so that's the invite team and the invite itself although you could just pass in the invite on its own and let's set the method to post let's add our cross-site request forgery let's set our method

04:34

for spoofing for that delete method and then let's take this and add this as a button with a type of submit and we should now be able to go ahead and post through so let's click revoke invite and there we go okay so how do we actually revoke an invite well let's go back over to our team invite controller and look at filling this in this is incredibly easy we don't really need to do much

04:57

as part of this all we really need to do is say team invite and delete that will delete the invite and if the email has already been sent which we'll get to later this will just not find the invite and it will just return a 404 okay so let's go ahead and redirect to a specific route and let's go back to team and edit for this and we should be good so let's revoke this one and there we go

05:24

it's gone and we can revoke another one and it's gone great so we can now create invites and revoke them let's add a test for this and of course look at the conditions around this as well so we're going to come over to our team invite controller test and let's go down and fill this in so it can revoke an invite let's do some setup first of all so of course we're always going to have a user here

05:50

who is acting and then we're going to have an invite which we'll just manually create using the team invite model so let's say factory create and in here we'll specifically pass in a team id and the reason that we're doing like this is and not using four is because when we use four we have to pass a new factory instance in we can't tie this directly to an existing

06:15

team and the team is going to be the user's current team id okay so we've got our invite in there we don't have an email so let's actually update our team invite factory to always give an email in here so let's use fake an email and that should do and now what do we need to do well acting as that user we're going to go ahead and send a delete request down to that route here

06:42

team invites destroy and we know that we need to pass in the team that we want to remove this invite from and the invite itself so let's pass both of them in and we're going to assert that we are redirected and we can even choose where we're redirected as well okay let's run this in isolation just to check this out first of all let's say pest filter pull that in and yeah that

07:09

passes so we know that we're getting redirected back but now we want to assert that this is missing from the database so this is going to be under the team invites table and let's go ahead and make sure that this is missing for this specific team so we don't need to mock the token here because the token will have already been stored the team id needs to be the current team for that

07:33

user the token is just going to be the token from the invite which will have been randomly generated so we can just pull that directly out of the database and the email address is just going to be the email address from the invites we just want to make sure that's all disappeared okay let's rerun that test and that looks good great okay so lastly we want to write out a test to make sure

07:54

that we cannot revoke an invite for or without permission that will do so what do we need to do well let's just set this up once again let's say user factory and create we are going to go ahead and add this user to another team let's go ahead and create out another team in here which we're going to try to revoke an invite for so let's say team factory and create and again it doesn't matter

08:28

whether they're part of this team or not we're not going to have permission either way let's then go ahead and create the invite out we can just steal this directly from here so we don't need to keep typing it out and that will be the either the current team id or we could set the team id that the invite's being created for to the other team and then we can try and get rid of that so what

08:50

we're going to do again is we're going to say set permissions team id to the user's current team in fact we in this case we don't need to do that because we're already going to be part of that team in the request so we don't actually need to do this so basically we now have an invite for another team that we do belong to but when we send this across we're not going to have permission

09:11

to do that so let's go ahead and act as that user and let's try and delete that invite so let's go and generate out the route for this team invites destroy passing in the current team that we're within so that's just going to be the user's current team and then passing in the invite and let's assert that this is forbidden okay once again let's just run this test here in isolation

09:40

let's go ahead and say pest filter on this and yeah sure enough it fails we get a redirect so let's go ahead and build this out so team invite controller will switch around the request so it's a little bit tidier so let's go ahead and make out a request in here let's call this team invite destroy request we can switch that out here straight away team invite destroy request

10:09

and let's open this up and we'll authorize this in the way that we've done by saying user can revoke invite and again we're going to pass in the team from the url and the team invite from the url let's check this out by rerunning that test and it still fails so let's just have a look here okay yeah let's think about this so let's go back over to our test here so when we

10:40

send a request down as this user yeah once again we do have permission because this is assuming that we have that permission on our own team so yeah again without middleware here with that team permission like so and then we'll set the permission team id to the other team so yeah basically we are part of another team but we're just a member of that team so yeah that makes

11:06

sense so we're just acting as a member of that other team and obviously we don't have permission to do that let's go ahead and rerun our test and we get green okay let's just run all of our tests just to make sure and that looks good so now we should be good let's go ahead and add in a invite here and yeah we can revoke this invite that all looks good and we have permission to do that but

11:29

of course if i were to create an invite over here and let's do that for another user and i were to log in as Mabel she won't be able to see this anyway but we still shouldn't be able to revoke the invite let's go ahead and just manually test that out there's nothing wrong with doing that so let's go ahead and log in as Mabel's account and we'll just enable this in the ui just to test this

11:54

so we can't see any invites we can't invite anyone but let's go over to the team members section and let's get rid of that just so we can see these at least and we can't see the drop down because remember we apply that can any let's go over to the team invite item and let's get rid of this just to test it out again kind of pointless since we've already written a test for it but

12:23

i like to just do this anyway and let's try and revoke that invite and of course we should get a 403 great so we already knew that was working via our test but it doesn't hurt to manually test this in the ui okay we'll go back over to here and make sure we wrap that in our can invite to team and we are good there we go that's how we revoke invites

Episode summary

In this episode, we walk through how to implement the ability to revoke (cancel) team invitations in our application.

We start by adjusting permissions, making sure only users with the right authorization can revoke invites. We show how you can add a more granular permission specifically for revoking invites, separate from the broader "invite to team" permission, if you want more fine-grained control.

Then, we set up the policy logic so that the UI only displays the revoke option if you actually have permission. We use a canAny helper to hide the entire actions dropdown if there are no actions you can take—cleaning up the UI.

Next, we build the actual backend route and controller logic: when a user clicks to revoke an invite, it sends a delete request to the server, which simply deletes the invite record from the database and returns you to the team edit page.

After that, we add tests to check both that authorized users can successfully revoke invites, and that users without permission can't. We handle some edge cases, like trying to revoke invites from other teams.

Finally, we do a little bit of manual UI testing just to double-check the logic is sound. By the end of the episode, you’ll be able to confidently invite people to your team, and revoke those invites if necessary, with all the correct permission checks in place!

Episode discussion

No comments, yet. Be the first!