Intermediate invitation approval

[vanderzielj]

Background: I plan to begin work on a new phase of our Django (v5.0.0) project which integrates django-organizations (2.5.0) and django-adfs-auth. I plan to create django-organization invitation back-ends that integrate with Microsoft Entra External ID B2B invitation back-ends. I plan to require that an external user be part of an organization - whether that be an organization created specifically for that user or whether that be an existing organization. Any users have experience with this?

I am considering an option of allowing a user to invite themselves to an existing organization (with a distinct organization owner). However, I would like to require the approval of the organization owner before the invitation gets created or sent. Any ideas about how I might go about this? I assumed that I would have to create a queue data structure (or perhaps use something like django-user-tasks that would be presented to the owner for approval but I don't have a more detailed plan at this point. Suggestions?

[bennylope]

I can't speak to the integration, but as to this:

I would like to require the approval of the organization owner before the invitation gets created or sent. Any ideas about how I might go about this?

There are several ways you could go about it. It's not clear if you can create any kind of authenticated user as an external

1. Allow the user to add themself to the organization (i.e. creating an organization user) but as an inactive organization user (using a custom model class). Allow the organization admin(s) to approve, with or without a notification. This doesn't involve the invitation backend at all; contingent on external users being able to create an authenticated user.
2. Add an "approved" flag to your invitation model, and present a view by which a new user creates an unapproved invitation, which triggers either nothing or some workflow (e.g. an email) to the organization admin(s). Given a list view of invitations, show the unapproved invitations. An invitation-specific "approve" view, which requires org admin access, is then used to mark the invitation as approved (or deleted, I suppose) and the rest of the normal invitation workflow is triggered from here.
3. Another option would to be add a separate InvitationRequest model. Add a foreign key to your invitation model, and then when a new request is created you can, e.g. send an email or other notification to the organization admin(s) (if desired! not necessary) and present a list view of requests. Approval could trigger the same logic in the invitation when someone is normally invited, albeit triggered by the admin.

[vanderzielj]

These all look like great suggestions - thanks!

The integrated process would be something like this:

1. call the Django organizations invitation process to create an invitation to the specified organization with the user information provided.
2. call the Entra invitation API providing the user's email address (username for my app) as and the Django Organization activation url as the Entra inviteRedirectUrl (TBD whether I want Entra to send the email or my application)
3. user follows the redemption url which activates the Entra account after which the user is redirected to the Django organizations activation link with the GUID.