Staff-generated invites bypass the must_approve_users requirement

This is certainly what we should do. We will get this fixed over the next few days.

8 Likes

Since the issue here was a staff member sending a multi use invite to a single person, you could keep the old behavior by disabling auto approve for any multiple use invites while keeping it for single use.

Additionally, the education (“this user will be approved when they accept the invitation”) (now only for single use invites) should go on the invite dialog, not the site settings page.

1 Like

I am afraid I am making the very hard line call here that must_approve_users == VERY HARD LINE definition of explicit approval must be given.

The trouble with implicit approval (which I originally approved) is that it is full of edge cases. Edge cases breed security problems and flaws in the system. Additionally, explaining edge cases regarding implicit approval is way too complicated and not a headache we need.

If you go for must_approve_users we will take the absolute strictest definition and require you explicitly click approve on every single account regardless of invite vs not invite.

8 Likes

Just to clarify, the invite link was sent to a meeting chat room, i.e. a bunch of people that were authorized to join, and not to a single person. We set max use to the number of people in that chat room. One of them then forwarded the link to someone else belonging to an unauthorized entity, who used it faster than the people in the chat room.

3 Likes

Per:

And

We are now done.

@Wall-E feel free to rebuild to get the latest fixes.

3 Likes

Great! My sys admin takes care of updating the instance. He only updates from your beta releases when a new one shows up here:

Will it make it there eventually? If so, when could that happen?

[Edit] I see a new one here:

Is it that one?

1 Like

Yes, you want to hit that one and then when it is complete return to upgrade everything else using the upgrade all button. You have to upgrade docker first, and separately, unless you are upgrading from the command line.

3 Likes

Sam, many thanks for addressing this issue. It will take a few days before my sys admin updates things.

3 Likes

Not probs!

All thanks should go to @tgxworld / @martin / @gerhard , it is a surprisingly complex change

4 Likes

This topic was automatically closed after 7 days. New replies are no longer allowed.