Hide 'email account exists' for invites

Would it be possible to add the invite form to this list too?

Currently, if I put an existing account email in the ‘restrict to email’ box in the invite modal it informs me that there is already an account associated with it, and gives me a link to it.

Is there a setting to make this more anonymous, like the setting above?


Edit: I can customise the invite.user_exists text to take out the link, which was my immediate concern, but I can’t think of a good alternative that doesn’t say ‘Congratulations! You’ve found a member’s email address!’

Anyone have any suggestions?

Update: I copied the language from the topic_invite.user_exists and tweaked it a little:

“Sorry, that user has already been invited to the forum.”

I’m still open to better suggestions. :slightly_smiling_face:

5 Likes

I agree this is a privacy oversight @dan @tobiaseigen and we should normalize the code path here. Thanks @JammyDodger !

6 Likes

Good catch! And sorry I missed this earlier when you first reported it. Sure, I can confirm this is an issue, if the trust level is cranked down to TL2 as it is by default on community sites. I just did a test to remind myself what happens if you try to register a new account with an existing email address, and it actually shows no erorr at all and lets you submit the form as though you had started with a new email address. Then the email you receive explains what just happened with subject “Account already exists”.

We can do the same thing with invites, if hide email address taken admin setting is enabled. Just let the user create the invite for that email address with no error displayed at all, and then when the person with that email address tries to use it to accept the invitation it will just send them through to the site’s login page. If they are already logged in, they are taken straight to the site.

4 Likes

Fix has been merged :confetti_ball:

5 Likes