Background
There are several places in Synapse where a user needs to reference a collaborator who they find are is not yet in Synapse. The main two are: (1) adding someone to a Team and (2) adding someone to an Access Control List. This set of services allows the creation of a 'user precursor' to which Team invitations and ACLs can be related. When the precursor is linked to an actual Synapse user, the resources provided to the precursor become those of the Synapse user.
UI Mockup
...
https://docs.google.com/presentation/d/1SKSzfWaOBAPdN87ivTXnLxV3ItuY7VoWANcXWeglxN0/edit?usp=sharing
create an external user token (EUT) (+ various meta data, e.g. first, last, email)
table columns: ID, token, first, last, email, principalId (initially null)
prior to its acceptance (when principalId is null), the EUT can be rescinded
should be able to update with new token (but keeping the same EU ID)
should sending the EUT to the person be a server-side or client-side function?
service to create a team invitation linked to an EU + services for all CRUD on such an object
shall we generalize the existing invitation or create a new object?
service to update an EU record, associating a principal Id
anyone having the EUT can link the EU record to their account
at this point the EUT can't be rescinded by the creator
the Additional Requirements/Suggestions (from March 3 meeting):
- need a 'batch mode' to allow a list of email addresses to be specified
- forget the fname, lname fields
- if a given email is already an alias in Synapse, invisibly convert into a membership invitation
- after some expiration date, using the invitation-link should generate a membership invitation request
Client Responsibilities
The client is responsible for the sequence:
1) create or select an account
2) link the EUT precursor to the account
3) retrieve the associated team invitation(s) and accept them (or and present them for acceptance)
The client must ensure Synapse is logged out before the sequence begins.
following link must log out any user
Services
...
| URI | Request Method | Request Param's | Request Body | Response Body | Description | Authority | |||
|---|---|---|---|---|---|---|---|---|---|
| /userPrecursor | POST | email, fname, lname, invitation message | ID, token | Create a user precursor for the given email address. Sends email to invited user. 400 response if email has been used before. | authenticated users | ||||
| /userPrecursor | GET | limit, offset | PaginatedResults of precursor | Returns all precursors created by the user. (Ordered by creation time stamp?) | Precursor creator. | ||||
| /userPrecursor/{id} | GET | -- | -- | ID, token, principalID (or null), email, fname, lname | Precursor creator. | ||||
| /userPrecursor/{id} | PUTDELETE | -- | -- | -- | Update existing Delete user precursor. 403 status if precursor is already bound to an entity. | Precursor creator. | |||
/userPrecursor/{id} | DELETE | -- /principal Q: Is this the best URI? | POST | token | -- | -- | Delete user precursor. | Precursor creatorBind a precursor to the principal of the currently authenticated user. Any entity access records for the precursor become ACL records. | Authenticated users. |
| /userPrecursor/{id}/access/entity | POST | -- | entity ID, access type | ? | Adds the given access type to the given entity to the given precursor. 403 status if precursor is already bound to an entity. | Precursor creatorCHANGE_PERMISSION access to the entity. | |||
| /userPrecursor/{id}/access/entity/{entityId} | DELETE | -- | -- | -- | Remove all access to the given entity for the given precursor. 403 status if precursor is already bound to an entity. | CHANGE_PERMISSION access to the entity. | Precursor creator. | ||
| /userPrecursor/{id}/openInvitation | GET | teamId, limit, offset | -- | PaginatedResults<MembershipInvitation> | Get a paginated list of all the open membership invitations extended to a user, optionally filtering by teamId. | PUBLIC |
Note: The MembershipInvtnSubmission object is extended to accept either a principal ID or a precursor ID. So all the CRUD operations on this object now support user precursors.
Database Tables:
USER_PRECURSOR
- ID
- TOKEN
- PRINCIPAL_ID (can be null)
- USER_PROFILE
ACL_PRECURSOR
- ID
- ACL_ID
- USER_PRECURSOR_ID
ACL_PRECURSOR_ACCESS_TYPE
- ID
- ACL_PRECURSOR_ID
- ACCESS_TYPE