Require password for trusted user invites

(Joseph) #1

I’m not sure if this is a bug or not, but a new user invited by a “trusted user” is able to login without a password by clicking on the tokenized invite link they are emailed.

In their preferences the “set password” button is an option.

If they log out without having set a password, and then try to log back in a password is now required.

If they revisit the original invite email and click on the tokenized link again, they are once more logged in automatically without a password.

There seems to be no way to force a password to be set and used for log in. Or at the very least disassociate this behavior from “trusted users”. Here are the users settings in the Admin Dashboard.

Is there a way to set session expiration after a set length of time?
(Jeff Atwood) #2

This is 100% by design.

  • At trust level 2, we trust you to invite people into the community.

  • And we want the people you invite to be able to respond to a topic immediately without being hassled for login info.

However, this should only be available to staff in your particular config with invite_only, login_required, and must_approve_users set. Are you taking those screenshots as staff?

(Sander Datema) #3

Even if by design, it seems to have a nasty side effect. If I were to delete the invite mail after clicking the link, the only way to login to the forum a second time is by using the lost password option. Not very user friendly I’d say.

(Jeff Atwood) #4

I guess I probably shouldn’t tell you how many websites I log into every single time by using the “lost password” de-facto email skeleton key system?

I kind of suspect I am not alone in that.

(n.b. I do run two-factor auth on email and anyone who does not is f***ing crazy.)

(Sander Datema) #5

Maybe not, but the ‘lost password’ link implies you had one to lose. But people coming in through an invite link don’t have one. As Discourse aims to be as intuitive as possible, I still think the situation above isn’t ideal.

(Joseph) #6

I was taking those screenshots as admin.

I’m not against them being able to immediately reply per se, but it can be confusing if later they’ve signed out or go to visit from another browser not using the tokenized invite link. Now they’ll encounter a log in screen asking for a password they never set, and must utilize the “forgot password” mechanism. While this will technically get the job done, it really doesn’t describe their situation since they never had a password to lose.

Also, this doesn’t take into account that the invite may have been for a private category, where privacy is important. It defeats the purpose if someone simply needs a copy of the email with the tokenized link to be able to assume their identity. Ex: I send an invite to a potential partner/customer to discuss roadmap. They innocently enough forward to an underling thinking they’ll be able to signup as well. Instead the underling can simply login and see everything until a password is set by the original initee.

I’d suggest a couple of different possible solutions.

  1. An admin setting requiring login/pw setting required even for
    invites from a “trusted user”.
  2. The initial invite includes a temporary password they can use to login.
  3. A pinned alert of some type telling the user that they have not yet set their password with a link to their preferences page to do so. It would remain until a password is set.

I certainly lack the breadth of knowledge of many on here regarding the possible ripple effects of my suggestions above, but do think that the current state could use some modest improvement.

(Joseph) #7

I know it happens frequently, but it doesn’t make it best practice.

Also, regarding security habits someone like you and maybe even myself are the exception not the rule. Most people take no active role in securing themselves. They rely on the service provider or “IT guy” to do that. IMHO as far as invites/security is concerned I would think that forum software is more concerned with “most people”.

(Jeff Atwood) #8

Regardless only staff can invite with the settings you have (private, invite only forum).

(Joseph) #9

I don’t want to beat a dead horse. At the most basic level Discourse is offering some evolved and greatly improved features such as private and public categories, and a slew of improvements around conducting nuanced and effective discussions in an organized way. As proof, the Discourse Org itself uses the platform to debate features/roadmap, discuss bugs, general customer support and more. The growing plugin ecosystem will only increase the versatility of Discourse going forward.

However, to feel safe using discourse for more than just one thing (public forum, roadmap, features, etc.) it’s necessary to rely on basic things like authentication and permissions. I think there’s currently a gap in that I can invite someone to a private category that is password protected, yet they don’t need to have a password. And worse yet they can use the tokenized link indefinitely as can anyone else that has a copy of the invite email.

At the very least I think the invite link should have an expiration or other restriction associated with it.

Thanks for engaging in an open discussion. It only makes me more of a fan.

(Jeff Atwood) #10

You bring up a very good point – but note that invited users will have no special permissions. So even if you invite them to a topic in a category with permissions, they won’t be able to see it. There is no backdoor here. The invite simply lets them join the site as a normal user without going through the motions of explicitly registering, it does not give them access to anything special.

But the UI is confusing! So @neil can you make it so that “Invite Friends” button does not appear on any topic in a category that has permissions? Would make way more sense and reduce confusion.

(Neil Lalonde) #11

Done. The button is hidden in secured topics.

(Ted Pearlman) #12

Hi @codinghorror, just to follow up on the initial issue…

I’m an admin of a Discourse forum and am successfully sending invites that don’t require the recipient to login. That’s a very clever feature and I’m sure is helping with adoption. Kudos.

But many of the members of my forum are non-technical. So, if they loose their cookie somehow, or try to login from a different browser, they are presented with a login dialog requiring a password. And they don’t know what to do. I know for you and me and most users of Discourse, this is not a big deal, it’s obvious to us that we need to create a password for the first time by clicking on the lost password link. But for non-technical folks, it’s a dead end.

Do you have any suggestions of an in-context way to explain to non-technical folks what to do when they’re presented with that login dialog for the first time?


cc: @jvenator

(Jeff Atwood) #13

These users get a PM on accept that walks them through the process and provides a link to their profile.

Try inviting one of your alternate email addresses to see the flow.

(Ted Pearlman) #14


OK. Invited another email address of mine. This is what I got in the one email (the forum is called “Sugarmaples”:

tedpearlman invited you to Sugar Maples.

If you’re interested, click the link below to join:

Visit Sugar Maples

You were invited by a trusted user, so you’ll be able to join immediately, without needing to log in.

Nothing else.

(Jeff Atwood) #15

Click the link, then tell me what happens after you do that.

(Ted Pearlman) #16

It just goes straight to the main forum page.

(Jeff Atwood) #17

You should have a private message on that account.

(Ted Pearlman) #18

This forum has private messages disabled.

(Jeff Atwood) #19

Well that explains that. Why are PMs disabled? It kind of breaks the new user experience.

  • new users get a PM with an introduction to the forum and quick tips
  • invited users get a PM explaining how they can register, etc

(Ted Pearlman) #20

Ah! Ok.

Well, our conversational model may not be exactly aligned with discourse. The point of our forum is to have open discussions. Leaving private messaging enabled makes it too easy to fall into the habit of having private conversations. Disabling the private messaging makes it crystal clear what we’re about.

Can you see any way of solving my problem without turning on private messaging?