Description and Evidence

Recently in 2.9.0beta2 users that already have an account can click invite links. But I generated invite links can click them it said I invited myself and because I am TL2+ and I clicked 5 different invite links of mine I received the Champion badge. You can see a screenshot below of it below. These are in the Replit EDU forums and you can view my profile here.

Screenshot 2022-02-14 11.03.381019×450 69.4 KB

I also made an invite link on the Codecademy forums and it says I invited myself there also that you can see below. View my profile here.

Screenshot 2022-02-14 11.53.391103×417 78.7 KB

Repro steps

Reach TL2+ (by default) make invite links that you then click. It will say that you invited yourself on your profile and that you accepted your invite as shown above. And if you enough invite links you will receive the Campaigner and Champion badges.

Works for me here too. Now my profile says I was invited by myself.

And you should receive the promoter badge. (Forgot to mention it in the original post because I already had it before this)

Thanks for pointing this out! When designing this feature, I forgot to think like an evil person.

@dan any thoughts on how to fix this issue?

I personally never looked at the code for discourse but something like this might would work. (this is in JS because that’s what I know best)

if (invter != invitee) {
  inviter_count++
}

This bug is now fixed. Thanks again @not-ethan for reporting it! If you notice anything at all wrong with the invite system, do let us know. We’re actively working on it.

Reopening because I got a PM that I lost track of from @not-ethan. @dan if it’s not too much trouble would you mind assisting?

Can I have a link to the commit or PR for the fix? I’m just curious as to what the fix was

@tobiaseigen @dan think I found the PR FIX: Do not increase invite count for current user by udan11 · Pull Request #15952 · discourse/discourse · GitHub

Reopened on the the request of @not-ethan. Has there been a regression somehow?

After some extra testing, I am only experiencing this on Replit Ask:

But not on here meta or on another forum, all it says is that Ethan accepted your invitation but does not grant the badges.

Never mind I just got the badges here in meta and on that other forum. It took like 12 hours thought.

Can confirm.

image693×284 44.5 KB

Hey people,

there’s a bug in which you can create an invite code and redeem it yourself, doing this you can get the invite badges, which is annoying. This was mentioned by @not-ethan and a pull request was made, but the bug is still active. My idea was if someone uses an invite code for the web, but that person is logged it make the code fail!

Thanks for bringing this up again, Urias. We are seeking to not touch the invite system too much at the moment, because it is complex and making changes can have unintended and unplanned consequences.

Is there any way we could sidestep this problem by changing how the badge is awarded? E.g. if the person redeeming the invite is already a member, do not award the campaigner badge to the person who created the invitation?

This seems to me to be a problem that likely has existed for a long time and gone unnoticed. Another answer might be to treat this as “do nothing, works by design” and leave it to community moderators to address it if they are concerned by people abusing this method to get more badges.

My SQL probably needs checking , but I believe you could add this line to the badge query to stop it being granted to people who have invited themselves - AND i.invited_by_id <> u2.id

So something like this:

SELECT u.id user_id, current_timestamp granted_at 
FROM users u 
WHERE u.id IN (
  SELECT invited_by_id 
  FROM invites i 
  JOIN invited_users iu ON iu.invite_id = i.id 
  JOIN users u2 ON u2.id = iu.user_id 
  WHERE i.deleted_at IS NULL
  AND i.invited_by_id <> u2.id
  AND u2.active 
  AND u2.trust_level >= 0 
  AND u2.silenced_till IS NULL 
  GROUP BY invited_by_id 
  HAVING COUNT(*) >= 1 
) AND u.active AND u.silenced_till IS NULL AND u.id > 0 AND
(:backfill OR u.id IN (:user_ids) ) 	

Cool! I haven’t played with the badge system in a while but looking now I don’t see the invites related badges in the admin>badges UI. Maybe these are system badges that have to be edited in core discourse?