It's common when designing a social messaging application to want to restrict which users can interact and open channels between one another.
- Users who are "friends"
- Users who are "verified"
- Users who belong to a "team"
- Users who follow one another
The issue is that Stream does not have this information and cannot base channel creation permissions off of this.
Channel Creation Logic
Creating a channel with Stream is one of the operations that can be performed both Client-side and Server-side. The only difference is that when creating a channel server-side a user_id must be passed as the creator. A channel must have a creator.
For more information on creating channels, check out our documentation here.
The ability for a user to create a channel is tied to their role and the permission for the channel type. For example, our default permissions do allow a device connecting with a role of "user" to create any of our default channel types client-side. However, this permission can be granted or revoked for any user role. The permission is called "CreateChannel" and this can be changed through the Stream Dashboard and granted/revoked for each Channel Type.
Any user with this permission will be able to create a channel with any other user_id on the app or team (if Teams/Multi-tenancy is enabled).
The CreateChannel permission given to users illustrated below in the Permissions section of a Channel Type in the Stream dashboard.
Abstracting Channel Creation Logic Server-side
If a user has permission to create channels, there is no stopping them from doing so with another user on the app (or team). This means that if you want to enforce logic to only allow users to communicate who are "friends" etc then you'll need to abstract this logic server-side where you can make the necessary checks with the database of "friendships", for example.
The flow might look something like this:
- User A attempts to create a channel with another user, User B
- A request is sent to your server to check if User A and User B are friends
- Your database checks if User A and User B are friends
- You handle the channel creation accordingly (create or don't create the channel)
In the above scenario, Users don't have permission to create a channel, so going through your server is the only method to creating one. Once the channel is created server-side, the user's devices will receive an event (notification.added_to_channel) to update their channel list immediately, or it will be available to them next time they use the queryChannels endpoint to load a channel list when they log in.
You may also be interested in this article about restricting user search client-side.