Allow users invited by staff to skip approval

When a new user joins via an invite link, I’m finding that I also need to approve the user at the moment.

This defeats the whole purpose of an invitation; I may as well just send them the link to the forum.

I’ve tried this for a variety of situations (new link, old link, single person, multiple) on more than one instance, and it is the same.

I’ve got /admin/site_settings/category/all_results?filter=must_approve_users TRUE for these instances. It seems to be taking it a bit too literally! I want only to need to approve those who are joining without an invite, which is how things used to operate.

3 Likes

If you set must approve users you explicitly opted that every user must be explicitly approved.

We had to change this due to security concerns of Discourse users.

I guess change the forum to “invite only”, “requires login”? Then restrict the people who are allowed to invite.

1 Like

I thought that an invitation from staff was explicit approval - especially if it includes the email address of the user!

With an open invitation there is of course plenty of opportunity to abuse the link. But the staff member has to deliberately set the link up to allow that, and can take responsibility for (and limit) that risk quite easily.

It also means that people who stumble across my site can’t join it and are excluded unless they can find someone to invite them. That sucks.

Suggestion

How about adding two options to /admin/site_settings/category/all_results?filter=must_approve_users?

  1. Staff must approve ALL users
  2. Unless invited by staff, users must be approved
  3. Only public registrations require staff approval
  4. No staff approval required
2 Likes

Happy to add this into the feature request bucket, sadly we do not have bandwidth to work on extra fidelity here right now

3 Likes

It was, the behavior was changed about a month ago though:

We have an instance used by a charity/union for skills training which has been similarly impacted.

Prior to the change staff invited users to bypass approval, now they have to do both. With the need to go back and verify each approval vs membership lists It has increased their admin overhead substantially.

5 Likes

Yeah … long term solution I guess is to add a site setting that allows for the relaxed approval mode I guess, opt in.

I worry though cause getting security right here is very very hard. The more edge cases we allow for, the more complexity and potential security flaws.

4 Likes

I wonder if the main edge case is just allowing the must approve user setting to be overridden if the invite has a specific email address in it, and keep the must approve user setting for the anonymous invite links—but it may be more complex on the back-end to do that than I imagine.

4 Likes

This makes sense to me, especially if the invite was to a specific email address AND was sent from staff. I do not imagine a second level of approval would be needed in that scenario.

5 Likes

How about either allowing admins only to set a flag “auto approve” and optionally limit it to “unchanged email” or “restricted to one” or some such? In my case I would even be happy with a command line inviter which can create those special pre-aprroved invites, is there something like this available?

I’m afraid not.

As a crummy workaround I’ve done as Sam suggested:

I’ve quite liberally spread around an invite to our Forum, and that works nicely.

The issue is for the ‘walk-ins’ who stumble across the site via a Google search or similar. They have to email in for a joining link which is a right pain in the admin butt.

Arman’s suggestion is a pretty simple one and I don’t think it would be too hard to implement (or be leaky):

Any chance this is doable?

2 Likes