My question (in the first post of this topic) is more about invite/bulk invites scenarios where existing user are invited only to group (not about inviting to a topic/PM - which seems to be the security fix is largely about).
shouldn’t the existing user be added to the group (not topic/PM) before rejecting an invite creation - as per your earlier comments ?
Thanks. I think it is smart to check with @tgxworld ( although it appears that piece of code will not run if topic is not given - so it is a different scenario where the invite is for topic). It appears the required code to add the existing user to a group is not present (for non-topic usecase)
That is correct the error was being logged in a notification PM when bulk inviting an existing user, but (before the security fix) the user was indeed added to the specified group via this block of code.