allow revoking 'Anyone' invite link when creator/admin is no longer a group member

[dotmacro]

Problem

Currently, only the group admin/creator can revoke the "Anyone" invite link. When the admin/creator leaves the group, no other members can revoke the link. This is a great security/privacy concern because if the link is accidentally posted publicly or sent to the wrong email/account/etc, people not meant to be part of the group can join and no other members can prevent this from happening.

Solution

The "Anyone" invite link must be revocable by other group members when the admin/creator is no longer a member of the group.

[dotmacro]

Who else should be able to revoke the "Anyone" invite link?

[SebinSong]

When the admin/creator leaves the group, no other members can revoke the link.

When a group creator leaves a group, a feature like below becomes unavailable for the group too apparently.

And the permission to these features is governed by this groupOwnerID of the group's state.

group-income/frontend/controller/actions/group.js

Line 252 in 25c49c9

groupOwnerID: userID

@taoeffect
Q. What's your thoughts on the idea that the second earliest member of the group automatically becomes the group owner, when the group owner leaves the group? (And then probably also emitting a group notification that let people know this)

[taoeffect]

@SebinSong @dotmacro This issue is really an extension of existing issue #202 — Permissions system via Roles & Permissions.

That issue is what needs to be closed in order to close this issue.

The general idea is that various actions in the app can require that the user performing those actions must have certain permissions. A "role" is a name given to a group of permissions (e.g. "admin" and "moderator" would be roles with different permissions).