This episode is for members only
Sign up to access "Laravel Teams" right now.
Get started
Already a member? Sign in to continue
Playing
24. Revoking invitations
Episodes
01. Introduction and demo
4m 49s
0%
02. Setup with Pest
4m 2s
0%
03. Building the user teams relations
6m 5s
0%
04. Creating a personal team when registering
6m 3s
0%
05. Leaving all teams when an account is deleted
3m 55s
0%
06. Tracking the current team
4m 50s
0%
07. Showing team details in the UI
2m 55s
0%
08. Switching to another team
7m 24s
0%
09. Authorising team switching
6m 53s
0%
10. Updating a team name
10m 48s
0%
11. Basic roles and permissions setup
5m 26s
0%
12. Team roles and permissions middleware
9m 18s
0%
13. Authorising current team updates
3m 43s
0%
14. Testing team permissions through HTTP requests
3m 58s
0%
15. Leaving a team
10m 50s
0%
16. Displaying team members
8m 42s
0%
17. Making team members look better
5m 3s
0%
18. Removing a team member
15m 18s
0%
19. Preventing self removal from a team
4m 7s
0%
20. Storing invitations
13m 31s
0%
21. Validating invitations
6m 38s
0%
22. Authorising team invitation creation
6m 22s
0%
23. Displaying invitations
3m 16s
0%
24. Revoking invitations
12m 46s
0%
25. Sending an invitation email
13m 6s
0%
26. Accepting an invitation
12m 22s
0%
27. Displaying a modal to change a member’s role
10m 31s
0%
28. Updating a member’s role
9m 5s
0%
29. More authorisation and checks for role changing
10m 14s
0%
30. Fixing up the email sending test details
49s
0%
31. Fixing and validating email addresses for invites
1m 32s
0%
32. Tidying up @can directive checks
3m 25s
0%
33. Detaching roles when removing users
5m
0%
34. Adding an extra layer of protection to the team middleware
6m 35s
0%
35. Getting related models through teams
5m 37s
0%
36. Building a helper to access the current team
10m 47s
0%
37. Getting all related models through all teams
7m 15s
0%
38. Creating new teams
13m 7s
0%
Transcript
00:00
So to revoke an invite let's start with the permission to do this. Again you don't need
00:04
to necessarily do this but if we come over to our admin role cedar let's go ahead and add in a specific permission to revoke an invite in here or invitation let's call this. Obviously you don't need to do this you could just do this under the entire permission to invite to team but if you wanted them a little bit more granular you can add this in here. Okay let's go ahead and see that in
00:26
the database so we have that in there and let's go ahead and add the ability to revoke an invitation. So obviously if we have permission to revoke we're only going to see this drop down if that's the case so let's say can revoke invitation or revoke invite we'll change that over if we need to and let's say end can there now we haven't even created this in our policy yet but we can just
00:51
very quickly map that out so let's go over to our team policy and let's create out as we we're using invites so let's create out revoke invite in here taking the user in here and we could take in the team as well to test that but let's go ahead and just use the simple user can and let's check that permission which we called and let's check what we call that revoke
01:22
invitation so let's just copy that over to our team policy. Okay great so we should as part of this admin be able to revoke this we don't see that at the moment so let's have a look at what we have done here yeah we've just not passed the team in so let's pass the invite team into there and let's make sure it's part of our team invite that's part of a team great so that should work
01:54
now and we should be able to see that perfect now one thing that we can do and we'll be doing this a little bit later is we don't want to show this entire drop down if we can't do any of the actions inside of here so because we're just working with a single one in here it doesn't matter but if we can't revoke an invite obviously we don't want to show this entire drop down because there
02:14
are no actions that we can take so we can actually use can any for this so we can pass through revoke invite and as part of this we can pass the second argument any of the options that go through to here so basically can we do any of the actions that are inside of here let's end that can any and just pull that in and let's just pull all of this up and that should just get rid of the
02:38
entire drop down if we don't have permission to do this okay let's just see why this is not working yeah team so that needs to be invite team and we should be good now don't worry too much about that we'll come back to that later with this because if we don't have permission to change the team member role when we get to that or we don't have permission to remove this user from a team then
02:57
we'll get rid of this entire drop down using the same can any directive okay so when we click on revoke invite we just basically want to delete it from the database so let's go down here and let's register our root we're going to do this directly in the team invite controller so let's open that up and let's create out a destroy method in here so let's pull in our request
03:23
switch that over in a bit and we want to take in the team that this is for but we also want to take in the team invite as well so we can get rid of that so let's call that team invite and again let's just die dump here on the team invite or any of these items we'll hook this up to this form so we want to go ahead and have the ability to delete a team invite within a team and we can use root
03:50
model binding for the team invite as well you could even go ahead and accept the token in as this but i'm just going to do this as an id and you can change this up later so let's go ahead and reference the destroy method and change this to destroy and then we can grab the name of this and hook this up to the form so pretty much everything we've already done okay so inside of
04:09
here let's go and get rid of the href here which we're not going to need let's create out a form here which goes through to that root and remember we're going to need in here the team itself so that's the invite team and the invite itself although you could just pass in the invite on its own and let's set the method to post let's add our cross-site request forgery let's set our method
04:34
for spoofing for that delete method and then let's take this and add this as a button with a type of submit and we should now be able to go ahead and post through so let's click revoke invite and there we go okay so how do we actually revoke an invite well let's go back over to our team invite controller and look at filling this in this is incredibly easy we don't really need to do much
04:57
as part of this all we really need to do is say team invite and delete that will delete the invite and if the email has already been sent which we'll get to later this will just not find the invite and it will just return a 404 okay so let's go ahead and redirect to a specific route and let's go back to team and edit for this and we should be good so let's revoke this one and there we go
05:24
it's gone and we can revoke another one and it's gone great so we can now create invites and revoke them let's add a test for this and of course look at the conditions around this as well so we're going to come over to our team invite controller test and let's go down and fill this in so it can revoke an invite let's do some setup first of all so of course we're always going to have a user here
05:50
who is acting and then we're going to have an invite which we'll just manually create using the team invite model so let's say factory create and in here we'll specifically pass in a team id and the reason that we're doing like this is and not using four is because when we use four we have to pass a new factory instance in we can't tie this directly to an existing
06:15
team and the team is going to be the user's current team id okay so we've got our invite in there we don't have an email so let's actually update our team invite factory to always give an email in here so let's use fake an email and that should do and now what do we need to do well acting as that user we're going to go ahead and send a delete request down to that route here
06:42
team invites destroy and we know that we need to pass in the team that we want to remove this invite from and the invite itself so let's pass both of them in and we're going to assert that we are redirected and we can even choose where we're redirected as well okay let's run this in isolation just to check this out first of all let's say pest filter pull that in and yeah that
07:09
passes so we know that we're getting redirected back but now we want to assert that this is missing from the database so this is going to be under the team invites table and let's go ahead and make sure that this is missing for this specific team so we don't need to mock the token here because the token will have already been stored the team id needs to be the current team for that
07:33
user the token is just going to be the token from the invite which will have been randomly generated so we can just pull that directly out of the database and the email address is just going to be the email address from the invites we just want to make sure that's all disappeared okay let's rerun that test and that looks good great okay so lastly we want to write out a test to make sure
07:54
that we cannot revoke an invite for or without permission that will do so what do we need to do well let's just set this up once again let's say user factory and create we are going to go ahead and add this user to another team let's go ahead and create out another team in here which we're going to try to revoke an invite for so let's say team factory and create and again it doesn't matter
08:28
whether they're part of this team or not we're not going to have permission either way let's then go ahead and create the invite out we can just steal this directly from here so we don't need to keep typing it out and that will be the either the current team id or we could set the team id that the invite's being created for to the other team and then we can try and get rid of that so what
08:50
we're going to do again is we're going to say set permissions team id to the user's current team in fact we in this case we don't need to do that because we're already going to be part of that team in the request so we don't actually need to do this so basically we now have an invite for another team that we do belong to but when we send this across we're not going to have permission
09:11
to do that so let's go ahead and act as that user and let's try and delete that invite so let's go and generate out the route for this team invites destroy passing in the current team that we're within so that's just going to be the user's current team and then passing in the invite and let's assert that this is forbidden okay once again let's just run this test here in isolation
09:40
let's go ahead and say pest filter on this and yeah sure enough it fails we get a redirect so let's go ahead and build this out so team invite controller will switch around the request so it's a little bit tidier so let's go ahead and make out a request in here let's call this team invite destroy request we can switch that out here straight away team invite destroy request
10:09
and let's open this up and we'll authorize this in the way that we've done by saying user can revoke invite and again we're going to pass in the team from the url and the team invite from the url let's check this out by rerunning that test and it still fails so let's just have a look here okay yeah let's think about this so let's go back over to our test here so when we
10:40
send a request down as this user yeah once again we do have permission because this is assuming that we have that permission on our own team so yeah again without middleware here with that team permission like so and then we'll set the permission team id to the other team so yeah basically we are part of another team but we're just a member of that team so yeah that makes
11:06
sense so we're just acting as a member of that other team and obviously we don't have permission to do that let's go ahead and rerun our test and we get green okay let's just run all of our tests just to make sure and that looks good so now we should be good let's go ahead and add in a invite here and yeah we can revoke this invite that all looks good and we have permission to do that but
11:29
of course if i were to create an invite over here and let's do that for another user and i were to log in as Mabel she won't be able to see this anyway but we still shouldn't be able to revoke the invite let's go ahead and just manually test that out there's nothing wrong with doing that so let's go ahead and log in as Mabel's account and we'll just enable this in the ui just to test this
11:54
so we can't see any invites we can't invite anyone but let's go over to the team members section and let's get rid of that just so we can see these at least and we can't see the drop down because remember we apply that can any let's go over to the team invite item and let's get rid of this just to test it out again kind of pointless since we've already written a test for it but
12:23
i like to just do this anyway and let's try and revoke that invite and of course we should get a 403 great so we already knew that was working via our test but it doesn't hurt to manually test this in the ui okay we'll go back over to here and make sure we wrap that in our can invite to team and we are good there we go that's how we revoke invites
38 episodes•4 hrs 36 mins•5 months ago
Overview
Need team functionality in your Laravel application? Let’s build it from scratch.
We’ll cover the basics of creating teams, switching between them, sending secure team invites by email, and managing team members.
Powering everything will be roles and permissions for each member, with the ability to switch roles directly from your team dashboard.
Once you’re done, you’ll have mastered team functionality in Laravel.
Alex Garrett-Smith
Hey, I'm the founder of Codecourse!
Episode discussion
No comments, yet. Be the first!