Users without "View group invitations" can't see their invitations

ok, it looks like, we don't have much progress here and I decided to implement the next solution:

1) Since we can't use "view own" permission, because the owner in our case is not current user, but the creator of group relationship and also because of the restriction in QueryAlter classes. I decided to use "view any" permission.
2) I updated the view and now we will take user id not from URL, but from the current account
3) I restricted access to group relationship, now only owner or a user with "invite users to group" permission can view group permission

It looks like we cover all cases:

1) We don't need additional field for owner
2) We still can use creator field to display invitations created by the specific user
3) We just need to provide outsiders "view group invitations"

Automatically closed - issue fixed for 2 weeks with no activity.

This issue is not fixed. It seems that in "GroupInvitationPermissionProvider.php" we check for the "view group invitations" on a view operation. This permission never exists on an invitee since the invitee is not a member of the group yet. Therefore this user can never view its own invitations. Hence, any group permission will never work since the invitee is not a member of the group yet.

A workaround is to create a new Outsider role (non-admin) to the group, for example named "Non-member". This role you can assign the "view group invitations" permission to.

Without a workaround I don't see a solution where we use a permission provider on group level. Because an invitee is always an outsider and therefore cannot have these permissions (unless we have the outsider role).

I don't think an outsider role is the way to go, especially when we have alot of group types and perhabs sub groups, you don't want to specifically add this outsider role to every group just because of this permission check.

I am bit confused here, to accept an invitation, you have to be a registered user and not a member of the current group. It means the user has to be an outsider! I don't see any problem here. Yes, we need an outsider role, yes, we need to provide this role "view group invitations" permission.

@Lobster, yes the invitee is a registered user but not part of the group yet. So it will never have the permission "view group invitations".

You can test this by just inviting a user and then login as the user and go to /user/group-invitations. You will not see the invitation there. The workaround makes them visible but I don't think this workaround should be the fix for this issue.

In my opinion this permission "view group invitations" is for group admins to see all invitations of a group at /group/%group/invitations. This makes sense to put this permission in the group structure. However, a user viewing its own invitations should not depend on this permission. Because its not part of the group yet. I think in the access check you want to skip this permission when the invitee id === current user id.

@daneduijnkerke, We have this dilemma for awhile and I explained my point of view on whole this situation in comment #17. I have tried to find a better solution and believe me there were a lot of ideas, but unfortunately we have restriction on the group module level and I can't do anything about. if you have a solution feel free to reopen ticket and submit your solution. For now it will work like this for Group 2.0 and Group 3.0 versions, you need an outsider role and you need "view group invitations" for this role