Inviting users with groups field failed when there is an existing user in the list

gingerman · February 25, 2019, 3:32am

I just want to check if it is a regression bug. I know we can manually add the users to groups.

As per the comment below by @techAPJ ,

https://meta.discourse.org/t/sending-bulk-user-invites/16468/60

expected behaviour: when an user with same email address is already present, instead of inviting the user again just the group addition will happen.

present behaviour: invite process failed with an error that “email address is already present” and the group addition didn’t happen.

tried steps: bulk invite via csv, individual invite via api, individual invite via ui

techAPJ · March 4, 2019, 9:08am

This feature was reverted as part of a security fix:

https://github.com/discourse/discourse/commit/978f0db109cccfb5c1fd80640f0c080a1caca8b8

gingerman · March 4, 2019, 3:29pm

@techAPJ Just to clarify,

https://github.com/discourse/discourse/blob/ab2c2ea60543f70621f930122b641e38e6913e06/app/models/invite.rb#L92-L98 - This seems to be the piece of code which throws the error when there is an existing user with a given email address already present in the system. This code is same before & after the security fix commit (mentioned by you)
My question (in the first post of this topic) is more about invite/bulk invites scenarios where existing user are invited only to group (not about inviting to a topic/PM - which seems to be the security fix is largely about).

shouldn’t the existing user be added to the group (not topic/PM) before rejecting an invite creation - as per your earlier comments ?

techAPJ · March 4, 2019, 3:35pm

This used to happen before the security fix as per this line of code.

I wouldn’t revert this code before discussing with @tgxworld and he is away for the week.

gingerman · March 4, 2019, 3:39pm

Thanks. I think it is smart to check with @tgxworld ( although it appears that piece of code will not run if topic is not given - so it is a different scenario where the invite is for topic). It appears the required code to add the existing user to a group is not present (for non-topic usecase)

tgxworld · April 15, 2019, 1:31pm

This is a bug. An error is thrown when there is an existing user even before the security fix.

There are two fixes in the PR above.

Bulk invite will skip creating the invite and add the user to groups that can be edited.
Bulk invite should not be adding users into groups that are not editable which is now down with the guardian safe guard.

techAPJ · April 15, 2019, 2:56pm

That is correct the error was being logged in a notification PM when bulk inviting an existing user, but (before the security fix) the user was indeed added to the specified group via this block of code.

Thanks for the proper fix here!

tgxworld · April 16, 2019, 1:20am

Not that we will only add the user to the group automatically via bulk invite. Individual invite via the API or UI will raise an error as it should.

tgxworld · April 22, 2019, 10:00am

This topic was automatically closed after 6 days. New replies are no longer allowed.

Topic		Replies	Views
Bulk invite grant staff access Bug	4	681	May 29, 2018
Some proposed improvements to user invites Feature	18	3424	July 4, 2014
New invite link should work for existing users Feature invites	14	1427	November 24, 2022
When bulk inviting users to a group, user profile settings do not reflect the fact that the are part of that group Bug groups	7	1428	April 16, 2015
Bulk User Invite with Error Support	15	1033	November 1, 2019

Inviting users with groups field failed when there is an existing user in the list

Related Topics