Bookwyrm groups

[hughrun]

Wow, this turned out to be bigger than I expected. Apologies, if I make any in future I'll try to break the changes up a bit.

This PR relates to:

#1318
#170

This PR creates:

1. Groups that a user can join via a GroupMembership
2. A group curation option for Book Lists
3. A group value for lists, so that lists can be associated with a group for curation purposes

Groups do not currently interact with ActivityPub, but could. I am not confident to implement this functionality at this stage, hence not including it, but that's the only reason. I'd be happy to look into this for a later PR. Hopefully I haven't accidentally inluded any AP functionality where it shouldn't be.

Outstanding problems/questions to resolve/things to note

1. I can't work out how to adjust privacy_filter so that Group members can see groups they wouldn't otherwise see (i.e. groups with privacy levels of direct, or of followers when the viewer isn't a follower), whilst ensuring that the privacy filter nevertheless works in all other cases (e.g. when a user is blocked). Currently therefore privacy_filter is NOT applied to group list display on group pages (however raise_visible_to_user will still prevent anyone from seeing a list they shouldn't have access to)

2. I re-used some of the user suggestions code for new users, for searching for potential group members. I have, however, created a new filter function to exlude non-local users, for use until groups are AP compliant.

3. I am assuming that I should not commit anything in the migrations directory, and that maintainers will run makemigrations where appropriate: let me know if this assumption is wrong.

4. I am not sure what to do about group members who block each other. Currently:

   1. If the group.user has blocked a user, the second user cannot access the group page but can access any lists assigned to the group if they are owned by someone else, and can add & delete items on those lists;
   2. If a member of a group who is not group.user creates a list, other members who are blocked by that user cannot see the list (but can see it listed on the group page)
   3. Users who are blocked cannot invite the blocker to join a group because they won't appear in the user-inviting search results.

   The second case could be fixed if privacy_filter worked for groups and group lists. The first case may not matter much because a group owner can simply remove any member from the group, but it is a bit weird and not really ideal.

5. I get a Object of type LocalStream is not JSON serializable error when attempting to unblock a user in my development environment. I'm not sure whether this is an actual bug in Bookwyrm, a problem with my setup, or if I somehow broke something in the codebase. This may need to be checked!

6. I'm guessing you probably want some tests - I created some new classes and filters. What are the expectations/requirements around this?

Groups

1. any user may create a Group.
2. this group.user may send a GroupMemberInvitation to any other user as long as they are not blocked either way
3. the invitee must accept the GroupMemberInvitation to create a GroupMembership.
4. members (users with a GroupMembership connecting them to a Group) can:
   1. create a List with a curation value of group and assign the List to this group
   2. See all Lists associated with the group, on the group home page
   3. see the list page for any List associated with the group, regardless of its privacy value (unless the list.user has blocked them)
   4. add books to and remove books from any List associated with the group (unless the list.user has blocked them)
5. Groups have their own page visible to all users, at /group/{id}

Lists

1. Lists now have a new curation value of group
2. Group-curated lists must be associated with one (and only one) Group
3. Any member of the group can add and remove books to/from the list, unless blocked by the list.user.
4. Lists can have their curation value changed at any point: either by changing it to a non-group curation (closed, curated, open), or by changing the group it is associated with.
5. If a list's curation value is changed, group members no longer have access (unless curation is "public")
6. If a user is removed from the group, their group-curated lists will be changed to closed curation with a group of None.

Notifications

Group members are notified when:

• a new member joins
• a member leaves
• a member is removed
• a book is added to a group-curated list

group.users (group owners) are notified when:

• a user accepts their invitation to join

Users are notified when:

• a group.user invites them to join a group

Abuse and privacy

I have attempted to think about the potential for abuse and mitigate it, however I've probably missed something, and as noted above there are some outstanding problems to resolve.

1. Users must be invited to join a group: you cannot simply make someone a member of a group without them opting in
2. Group curated lists are removed from a group when the list.user leaves the group and given curation=private
3. Users can leave voluntarily or be removed by the group.owner
4. The same privacy levels apply to groups and group-curated lists as for any other object. This means if I group-curate a list with privacy level direct, only group members will be able to access it.
5. privacy_filter needs to be adjusted, or an alternative created for groups, so that the ability to see the existence of a list is also determined by privacy levels (e.g. direct lists don't appear on a group's list of Lists)

Design

As much as possible all changes are based on existing code and attempt to integrate seamlessly. I'm open to presenting any of the new options differently.

[hughrun]

Thanks for these suggestions :-)

Re 1 and 2, this was definitely there at some point, so I must have accidentally broken both of those when I was refactoring. If there are no groups it should invite you to make a group with a link that takes you to your Groups page (which has the button to create a group)

Re 3 - makes sense, I think moving the searchbox into the main panel is the better solution.

Re 4 and 5 I agree but managing state is something I always find tricky so if it can be a follow up PR that would be preferable so I can look into how best to do it and any examples of ways you've handled anything similar.

Re 6 - absolutely!

Re 7 - sounds straightforward, will add it to the list of other fixes.

You should expect a (hopefully) final load of fixes this weekend!

[hughrun]

@mouse-reeve LOL so clearly I need some help with tests, I've managed to break ALL of them.

Other than that:

• all suggestions from your code review have been resolved
• all suggestions in your comment above have been resolved
• users can now delete their groups (whoops, we both missed that one) and any group lists are changed to closed curation with the group removed

Looking forward to seeing this in production once we've sorted out the tests.

[mouse-reeve]

All tests failing is so much better than just some tests failing. It looks like the migrations need to be updated - if you merge in main and then run ./bw-dev makemigrations --merge, that should create a new migration file that resolves the conflicts and you'll be good to go.

[mouse-reeve]

Once the tests are passing I think this is good to go :)

[marek-lach]

Some fediverse applications implement the URL for a group as "https://tavern.town/`groups`/sneakerheads". Bookwyrm could probably accept both /group, and also /groups as a valid group URL, to be compatible in this regard with as many fediverse software as possible?

Awesome feature tho,

[mouse-reeve]

Thank you! Right now, groups aren't federated (see #1548). In terms of compatibility, the url shouldn't make a difference, since the applications should be providing those in the activitypub serializations