Fine-grained controls against invites


#1

Is it possible to cap all non-admin users to a single invite (and individually grant specific users one or two more separately later on?) Or any simple way to pull and ban entire invite trees down from a certain level (this can be done manually) – for example a bad user is held responsible for anyone they invite?

Poked through settings and couldn’t find any obvious things about it.


(Sam Saffron) #2

Not really, once you have invite priv it is unlimited, that is why we only grant it to tl2 and above.

Simplest way of dealing with abuse is forcing the high trust level user back down to tl1 or 0, or even banning in severe cases.

That said, I have not seen any invite abuse in the last 4 years of watching many forums.


#3

I was planning more on using discourse as a forum and a SSO provider for a new invite-only site, not so much as a public forum; how insane/bad-idea would it be to create single invites with an admin api key or otherwise outside of the discourse flow and handle lockdowns there?


(Sam Saffron) #4

Sure, that can work :sunglasses:


(Jeff Atwood) #5

Er what? We do have invite rate limits last time I checked, see max invites per day site setting.

There is no total all time per user limit, but you can never exceed the daily limit.


#6

So just to make sure before I go writing insane things: it’d be easier to just manage invites and send them from my own SSO’d application, or is there some simple find + replace within the docker yml that I’m overlooking where I can set the ratelimit from 1.day.to_i to something more like a year?


(Sam Saffron) #7

there is no per year rate limit for this