Add invitations query

[loan-laux]

Resolves #13
Impact: major
Type: feature

Test with api-plugin-authorization-simple#14
Test with api-utils#33

Issue

This plugin needs an invitations query to list all staff member invites, with paginated results and only allowed to admins.

Solution

Create an invitations query using a MongoDB aggregate, which also enables querying for the invitation's shop, the account who sent the invite and the groups the person was invited to. Example:

query invitations($shopIds: [ID]) {
  invitations(shopIds: $shopIds) {
    nodes {
      _id
      groups {
        name
      }
      email
      shop {
        name
      }
      invitedBy {
        emailRecords {
          address
        }
      }
    }
  }
}

Breaking changes

None.

Testing

1. Send multiple invites to multiple staff members.
2. Query invitations.
3. Expect to see the invitations that you sent earlier.

[loan-laux]

Still a draft because I need to add the appropriate permission migration in the authorization plugin.

[loan-laux]

This is ready for review, but I think I'm missing something on the way object-specific permissions work. It would make sense to restrict this query to:

• people who have the right to manage every shop, if they don't provide shopIds; or,
• people who have account-manager rights on the shops referred to in shopIds

As it stands, I'm not sure it accomplishes this. If I pass a random shop ID (which doesn't exist as I only have one shop set up), it doesn't throw a permission error... But isn't it supposed to?

[aldeed]

See one big inline comment.

Regarding the invitations role, I think it would be best (at least for now) to use

await context.validatePermissions("reaction:legacy:groups", "manage:accounts", { shopId });

That is what we check before allowing you to create an invite in inviteShopMember, so it makes sense that the same permission would let you see invitations? In the long run we might want something more like invitations with read/write variations, but I'd go with simple solution for now.

Also the system manager global group already has manage:accounts permission, so it should work to do the same change with null shopId.

[loan-laux]

@aldeed Just applied your suggestions. As for the parent.groupIds on the groups field resolver, it's supposed to work hand-in-hand with #10. I've added backwards compatibility for parent.groupId in case we're dealing with invitations that were sent with a previous version of the plugin.

[rc-publisher]

🎉 This PR is included in version 1.4.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀