How to disable invites without enabling "must approve users" (when using external SSO)?


(Yuri) #1

My situation:

I’ve set up my instance of discourse to use SSO with my own external site for authentication purposes. This is working as expected and I have no issues with it. Getting it set up was easy. Great work! :stuck_out_tongue:

My goal with using SSO is to always have the users of my discourse forum (1) create their discourse user accounts via SSO’ing via my external site and (2) only use SSO to log on. I also want my external site to be the only place where users can change their email and user name, so I have also set “sso_overrides_email” to true, “sso_overrides_username” to true, and “email_editable” to false. This is all working as expected.

My issue:

The whole notion of invites in discourse (at least as they are currently implemented) doesn’t play nicely with discourse as I have set it up. As an admin, moderator, or user with a trust level greater than two, a user can send invites out to any email address. When the link in these invites is used, a user account is then auto-generated for that email on my discourse instance, but this is bad since no corresponding user with that email address is guaranteed to be already created on my external site (that is used SSO).

Solutions?

There are most likely multiple solutions for this, but what would likely be easiest to implement (and totally A-OK for my needs) would be a simple “Disable Invites” checkbox in the admin User settings.

Thoughts?

Thanks!

One last note:

I read on semi-related thread that one could disable invites by enabling “must_approve_users”, but that doesn’t work in my case for two reasons. (1) When “must_approve_users” is enabled, if a user tries to login via sso for the first time, they are just dropped back on the discourse page and are not logged in. They is no notification that they just had their account created and an admin now must activate there account. (2) For our situation, we don’t want to have to activate each and every user. Anyone with an account on our external site should be allowed to have an account on our discourse instance.


(Jeff Atwood) #2

Case (1) is something @neil will be fixing next week.

But in general I agree, if SSO is enabled the invite system has to be turned off automatically, wouldn’t you say @sam?


(Yuri) #3

Automatically disabling the invite system when SSO is enabled would be perfect!


(Sam Saffron) #4

That is now complete:

https://github.com/discourse/discourse/commit/25860622b723f53073709a73868cb20c04619562


(Jeff Atwood) #5

For those of you asking why the invites system is mutually exclusive with SSO, here is the origin of that.


(Michael Downey) #6

Sure, but isn’t the solution a bit over-kill?

If a trusted party (admin?) could create invitations based upon data in the SSO directory/source, wouldn’t that be all right because the user would be there waiting on the user to log in (via SSO)?


(Sam Saffron) #7

The edge case I missed was invite by username into pm