I was taking those screenshots as admin.
I’m not against them being able to immediately reply per se, but it can be confusing if later they’ve signed out or go to visit from another browser not using the tokenized invite link. Now they’ll encounter a log in screen asking for a password they never set, and must utilize the “forgot password” mechanism. While this will technically get the job done, it really doesn’t describe their situation since they never had a password to lose.
Also, this doesn’t take into account that the invite may have been for a private category, where privacy is important. It defeats the purpose if someone simply needs a copy of the email with the tokenized link to be able to assume their identity. Ex: I send an invite to a potential partner/customer to discuss roadmap. They innocently enough forward to an underling thinking they’ll be able to signup as well. Instead the underling can simply login and see everything until a password is set by the original initee.
I’d suggest a couple of different possible solutions.
- An admin setting requiring login/pw setting required even for
invites from a “trusted user”.
- The initial invite includes a temporary password they can use to login.
- A pinned alert of some type telling the user that they have not yet set their password with a link to their preferences page to do so. It would remain until a password is set.
I certainly lack the breadth of knowledge of many on here regarding the possible ripple effects of my suggestions above, but do think that the current state could use some modest improvement.