I am hyperclocking my brain here trying to solve a little puzzle…
My app’s primary customers are doctors - but the actual users will be their assistants.
I would like to have a place on the app where the doctor is able to “add assistants” by typing their e-mail address - which triggers an invitation (probably through Accounts.sendEnrollmentEmail). When the assistant opens the invitation and signs up (creating her own password), she has access to the doctor’s account (limited by her role). If the doctor removes this assistant of the list, her account gets deleted.
Um, you should be filtering your publications based on the current user’s rights anyway. Simply add a reference to the “parent” account into a user’s account and check for that.
Take a look at mizzao:partitioner. It hasn’t been updated in a while, but that’s because it works perfectly.
If you “partition” your database collections based on a users “group”, any database operation is automatically limited to only access or modify items in the same “group”.
When a doctor creates an assistant you add the new user to the same group as the logged in user (the doctor) and everything else is automatic. You can safely publish all “patients” to the assistant, and not worry abut accidentally publishing another doctor’s patients.
Then you only have to worry about roles and permissions.
The highly recommended alanning:roles package also supports this via “groups”
So for each Doctor (or Doctor’s practice?) you would have a group which you could make the Dr an admin with the ability to create Assistant accounts with fewer permissions in that group