Skip to content

[$250] Inviting users to a group: issue an token and validate accept invitation link #449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
atelomycterus opened this issue Feb 28, 2021 · 8 comments
Closed

[$250] Inviting users to a group: issue an token and validate accept invitation link #449

atelomycterus opened this issue Feb 28, 2021 · 8 comments
Assignees
@atelomycterus
Labels
P1 Prod QA pass QA Pass on Dev tcx_Assigned tcx_FixAccepted tcx_Paid tcx_ReadyForReview
Milestone
V1.3

Comments

@atelomycterus
Copy link
Collaborator

Any user who knows the accept invitation link format can join groups including private after authorization. It could present a security hole into Vanilla. So before using this functionality with private groups in PROD, need to issue a token/generate invitation code and validate it.
@atelomycterus atelomycterus mentioned this issue Feb 28, 2021
Closed
@atelomycterus atelomycterus changed the title Invitation user Invitation link in email Feb 28, 2021
@atelomycterus atelomycterus changed the title Invitation link in email Inviting users to a group: issue an token and validate accept invitation link Feb 28, 2021
@jmgasper
Copy link
Collaborator

@atelomycterus - Thanks for that

@sdgun - I have disabled the ability for copilots to send invites to groups in prod for the time being.

@jmgasper jmgasper changed the title Inviting users to a group: issue an token and validate accept invitation link [$250] Inviting users to a group: issue an token and validate accept invitation link Feb 28, 2021
@jmgasper
Copy link
Collaborator

Challenge https://www.topcoder.com/challenges/a6d96cd4-6b47-4172-8534-5252208d1860 has been created for this ticket.

This is an automated message for ghostar via Topcoder X

@atelomycterus atelomycterus self-assigned this Mar 1, 2021
@jmgasper
Copy link
Collaborator

jmgasper commented Mar 1, 2021

Challenge https://www.topcoder.com/challenges/a6d96cd4-6b47-4172-8534-5252208d1860 has been assigned to obog.

This is an automated message for ghostar via Topcoder X

@atelomycterus
Copy link
Collaborator Author

atelomycterus commented Mar 1, 2021
edited
Loading

@jmgasper I added $Configuration['Plugins']['Groups']['InviteExpiration'] , Now the value is 20 mins for testing. So @sdgun can test it, not to wait long. Use '+1 day' or another value for PROD.

Changes

Unique token is generated. Only an invitee can use it. If the token is valid then the user is redirected to a group. If the token has expired:
image

In other cases, general error should be displayed:
image

Please apply PRs:

Settings

// e.g. '+15 min', '+1 day'
$Configuration['Plugins']['Groups']['InviteExpiration']= '+20 min';

Let me know if you need

  1. List of all pending/accepted invitations for a group
  2. Decline an invitation from an email. Now an accept link only in email
  3. Delete an invitation
  4. See all group invitations in Vanilla User Profile and accept/decline them
  5. Deleting expired invitations. Now I don't delete them. Maybe it will be needed for history
  6. Resend an invitation again
  7. ....

@jmgasper
Copy link
Collaborator

jmgasper commented Mar 1, 2021

@atelomycterus - Thanks, I'll keep that in mind for future functionality, if needed.

@jmgasper jmgasper closed this as completed Mar 1, 2021
@jmgasper
Copy link
Collaborator

jmgasper commented Mar 1, 2021

Payment task has been updated: https://www.topcoder.com/challenges/a6d96cd4-6b47-4172-8534-5252208d1860
Payments Complete
Winner: obog
Copilot: ghostar
Challenge a6d96cd4-6b47-4172-8534-5252208d1860 has been paid and closed.

This is an automated message for ghostar via Topcoder X

@sdgun
Copy link
Collaborator

sdgun commented Mar 2, 2021

Verified in Dev.

  1. Invited user could use the link for 20 minutes
  2. After 20 minutes show the message:

image

  1. When try to use the same link from another user, shows the message:

image

@sdgun sdgun added this to the V1.X milestone Mar 2, 2021
@sdgun
Copy link
Collaborator

sdgun commented Mar 16, 2021

Verified using the link from another user and also invitation expiry after 20 minutes. Works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atelomycterus atelomycterus

Labels
P1 Prod QA pass QA Pass on Dev tcx_Assigned tcx_FixAccepted tcx_Paid tcx_ReadyForReview
Projects
None yet
Milestone
V1.3
Development

No branches or pull requests
3 participants
@jmgasper @sdgun @atelomycterus