Invite redemption allowed user to access forum BEFORE approval

nathank · January 10, 2022, 2:25am

Our Forum has these settings:

login_required ON
must_approve_users ON
min_trust_level_to_allow_invite 2 : member

When testing our forum invites, I noticed that:

When a TL2 user invites another user via email and
They click the invite link in their email and
They fill in the fields and submit it

This happens → they are taken straight into the Forum (as though pre-approved), and can read it at will. They should not be able to do this until approved.

They indeed remain unapproved. If they try to access the site again, they are prevented with the standard “you aren’t approved” message.

Benjamin_D · January 10, 2022, 7:50am

Indeed, I can repro this on 2.8.0.beta10 ( bbca25e875 )

JammyDodger · January 10, 2022, 8:53am

I can confirm on my test site (17ec3bc5b9)

Log on required
Must approve users
TL2 can send invites

And my invitee could view and post on that ‘sign-up visit’ without being approved.

sam · January 11, 2022, 5:42am

This is a complicated situation.

We have no implementation at the moment for “Hold tight, until someone approves your account”

In fact I am not sure it even makes sense, why would you invite someone to the forum just for them to be blocked.

I would say your immediate workaround is disallowing invites on tl2/3 … that will at least seal off this quirk.

I guess we should, at least in the interim, completely disable invite for non staff when must_approve_users is ON.

@dan thoughts?

nathank · January 11, 2022, 8:44am

Done. Of course, TL4s will still have the problem of course, but I don’t actually have any of those so all good!

That makes sense to me as a permanent solution.

I was a little surprised that my punters could invite others!

dan · January 12, 2022, 7:09am

I am torn on this one because I understand both sides. However, I am thinking the status quo is a bit misleading because not all users who sign up must be approved.

To a certain extent, I guess it depends on the community and how much trust you put in your users. Maybe in the future must_approve_users can be a dropdown: no, yes or if not invited.

I am going to put this on my TODO list.

jomaxro · January 13, 2022, 4:31pm

Resolved via SECURITY: Do not sign in unapproved users (#15552) · discourse/discourse@584c6a2 · GitHub. Thanks for the report @nathank!

david · January 15, 2022, 8:00am

This topic was automatically closed after 31 hours. New replies are no longer allowed.

Topic		Replies	Views
Trusted users cannot invite when must approve users admin setting enabled Support	10	882	June 17, 2021
Reviewing New Members Support	6	554	June 7, 2022
Better way for my users to invite others? Support invites	36	5187	December 3, 2023
Invite-only Forum - Can non staff members invite others? Support invites	17	4203	January 11, 2024
Staff-generated invites bypass the must_approve_users requirement Feature invites	29	2298	June 10, 2022

Invite redemption allowed user to access forum BEFORE approval

Related topics