How to implement an invitation code to share resource with another user?

Question

We want to be able to share resources inside our web application with new or other users. We want to do this by implementing an invitation code. I have seen this implemented many times before in other applications (google docs for example), where you send an invitation code to another user and that other user will have whatever access the first user agreed.

I am sure there has to be a pattern, or best approach already documented somewhere, I just need the right words to look for it. Will someone be able to point me in the right direction? Below is the use case:

1. User one (user1) has an account with multiple spaces.
2. User1 wants to share a specific space (space9) with User2 (which is or not on the user table).
3. User1 sends an invitation code to the email of user2.
4. User2 registers and enters the invitation code or clicks on the link to register with the invitation code.
5. User2 has access to space9 and only to space9, not to any other space register for user1.

Edit 1: (Possible Algorithm to Use based on Mark Answer):

In my domain model I have User and Account and each user has 0 or more accounts. Then we also have SharedSpace, each user has 0 or more share space and each account may have 0 or more sharespace. Now Sharespace will contain (inviationCode, spaceCode, active (yes), expiration, email (share with).

Any user who has an account (acct1) is able to share space with

acct1.shareSpace("spaceCodeToShare","Emailofusertosharewith");

The method shareSpace(string,string) will do the following:

1. Create and send invitation Code to email
2. If user is registered, he activates his code either clicking or entering it (using authorize or customAuthorize attribute and IPrincipal to prevent unauthorized access).
3. IF user is not registered then he logs in and after a user entry for this user is created then he activates the code.
4. If user never activates the code the the code expires and the active status toggles to false.

Do you think I am missing anything, it looks more simple than I thought it would be?

Answer 1

It sounds to me like the permissions aspect would be best modeled using Access Control Lists (ACLs). Each resource simply has a an associated ACL, and by default, only the original owner has a permission to the resource.

When you send out an invitation code, you record that code along with the permission it represents. You will need to record that association in a durable store such as a database.

When the invited user activates the invitation code, you promote the potential permission you recorded into a real permission.

I wrote more about ACL-based security here and here.

Answer 2

I am not sure about the existing patterns. But this can be done simply by having well relationed sharedRights table structure.

• sharedRights table got the resourceNames(spaces) , the owner names (author) and who got the shared access (shared users).
• sharedRights is a child table for users (it will refer both the author and the shared user),and the resourceNames(spaces).

if you still wanted to normailze the strucre

• you can create SharedUsers which will have Users relation (many to many)
• SharedResources which will have IDs of SharedUsers and the resource names (many to many)
• And SharedRights which defines the accessrights for sharedusers and sharedresources

finally it would be something like

 Users     ---- SharedUsers      |
                                  ------- SharedRights
 Resourcss ---- SharedResources  |   

After accepting the invitatiion, you have to populate these table with the necessary info. And granding the permission to shared users by referring these table would be simple.