Invite redemption allowed user to access forum BEFORE approval

Our Forum has these settings:

  1. login_required ON
  2. must_approve_users ON
  3. min_trust_level_to_allow_invite 2 : member

When testing our forum invites, I noticed that:

  1. When a TL2 user invites another user via email and
  2. They click the invite link in their email and
  3. They fill in the fields and submit it

This happens → they are taken straight into the Forum (as though pre-approved), and can read it at will. They should not be able to do this until approved.

They indeed remain unapproved. If they try to access the site again, they are prevented with the standard “you aren’t approved” message.


Indeed, I can repro this on 2.8.0.beta10 ( bbca25e875 )


I can confirm on my test site (17ec3bc5b9)

  • Log on required
  • Must approve users
  • TL2 can send invites

And my invitee could view and post on that ‘sign-up visit’ without being approved.


This is a complicated situation.

We have no implementation at the moment for “Hold tight, until someone approves your account”

In fact I am not sure it even makes sense, why would you invite someone to the forum just for them to be blocked.

I would say your immediate workaround is disallowing invites on tl2/3 … that will at least seal off this quirk.

I guess we should, at least in the interim, completely disable invite for non staff when must_approve_users is ON.

@dan thoughts?


Done. Of course, TL4s will still have the problem of course, but I don’t actually have any of those so all good!

That makes sense to me as a permanent solution.

I was a little surprised that my punters could invite others!


I am torn on this one because I understand both sides. However, I am thinking the status quo is a bit misleading because not all users who sign up must be approved.

To a certain extent, I guess it depends on the community and how much trust you put in your users. Maybe in the future must_approve_users can be a dropdown: no, yes or if not invited.

I am going to put this on my TODO list.


Resolved via SECURITY: Do not sign in unapproved users (#15552) · discourse/discourse@584c6a2 · GitHub. Thanks for the report @nathankershaw!


This topic was automatically closed after 31 hours. New replies are no longer allowed.