Allow users invited by staff to skip approval

When a new user joins via an invite link, I’m finding that I also need to approve the user at the moment.

This defeats the whole purpose of an invitation; I may as well just send them the link to the forum.

I’ve tried this for a variety of situations (new link, old link, single person, multiple) on more than one instance, and it is the same.

I’ve got /admin/site_settings/category/all_results?filter=must_approve_users TRUE for these instances. It seems to be taking it a bit too literally! I want only to need to approve those who are joining without an invite, which is how things used to operate.


If you set must approve users you explicitly opted that every user must be explicitly approved.

We had to change this due to security concerns of Discourse users.

I guess change the forum to “invite only”, “requires login”? Then restrict the people who are allowed to invite.

1 Like

I thought that an invitation from staff was explicit approval - especially if it includes the email address of the user!

With an open invitation there is of course plenty of opportunity to abuse the link. But the staff member has to deliberately set the link up to allow that, and can take responsibility for (and limit) that risk quite easily.

It also means that people who stumble across my site can’t join it and are excluded unless they can find someone to invite them. That sucks.


How about adding two options to /admin/site_settings/category/all_results?filter=must_approve_users?

  1. Staff must approve ALL users
  2. Unless invited by staff, users must be approved
  3. Only public registrations require staff approval
  4. No staff approval required

Happy to add this into the feature request bucket, sadly we do not have bandwidth to work on extra fidelity here right now


It was, the behavior was changed about a month ago though:

We have an instance used by a charity/union for skills training which has been similarly impacted.

Prior to the change staff invited users to bypass approval, now they have to do both. With the need to go back and verify each approval vs membership lists It has increased their admin overhead substantially.


Yeah … long term solution I guess is to add a site setting that allows for the relaxed approval mode I guess, opt in.

I worry though cause getting security right here is very very hard. The more edge cases we allow for, the more complexity and potential security flaws.


I wonder if the main edge case is just allowing the must approve user setting to be overridden if the invite has a specific email address in it, and keep the must approve user setting for the anonymous invite links—but it may be more complex on the back-end to do that than I imagine.


This makes sense to me, especially if the invite was to a specific email address AND was sent from staff. I do not imagine a second level of approval would be needed in that scenario.


How about either allowing admins only to set a flag “auto approve” and optionally limit it to “unchanged email” or “restricted to one” or some such? In my case I would even be happy with a command line inviter which can create those special pre-aprroved invites, is there something like this available?

I’m afraid not.

As a crummy workaround I’ve done as Sam suggested:

I’ve quite liberally spread around an invite to our Forum, and that works nicely.

The issue is for the ‘walk-ins’ who stumble across the site via a Google search or similar. They have to email in for a joining link which is a right pain in the admin butt.

Arman’s suggestion is a pretty simple one and I don’t think it would be too hard to implement (or be leaky):

Any chance this is doable?



At the mo, this simply isn’t the case if must_approve_users is TRUE:

Each time we have a group of folk to invite we either accept a lot of friction (the approval step) or have to reconfigure the site temporarily (and close it to public registrations), which is pretty painful.

Any thoughts on this happening one day?

1 Like

Not against it, but it is not slotted quite yet.

1 Like

Hi, I’d like to also request that there be a feature for staff invites to bypass the approval step, perhaps by an optional boolean on the Invite generation dialog.

At present, the “Share this link to instantly grant access to the site” simply isn’t true at all for sites which are must_approve_users.

The solution would seem to be as discussed in “option 4” here in the topic which discussed the bug which fixed the security issue but left us with this problem with ‘pre-approving’ an invite link.

To recap, this request is so that staff on a must_approve_users site can create an invite link which will bypass the approval step. Although the site I run is requires approval, we would sometimes like to be able to ‘pre-approve’ users via an invite link which we know is going to be shared privately to trusted individuals, or when we share the link at a physical event which is related to the forum community. (We don’t necessarily know the preferred email addresses of such invitees so can’t use a bulk invite)

1 Like