moderated Re: Expire invitations after 14 days #suggestion


Thanks Shal,

Yes, Bruce pointed this out to me. I didn't know it worked like that. Would it
not be better if it did not have that function, but simply required an email
reply? The recipient must already be using an email client to read the
invitation, so simply replying to it would accept the invitation but nothing
else. That would, I think, remove the need for any expiry date.


On 18 Apr 2021 at 23:04, Shal Farley wrote:


> I don't see how it can give access to his/her account or to the system
> to anyone else. It isn't like a login link, which could do that.

The invitation email contains a link "accept the invitation" which IS
effectively a login link. That is the problem that was reported, and
which precipitated the shorter lifetime for the link.

While attempting to ask a question about invitations an invitee posted
the text of a received invitation, including that link, on a public
forum. I tested it, and it did indeed log me in to the invitee's
account. I was able then to access the content of a private, restricted
group of which the invitee happened to be a member (and I not).


Join to automatically receive all group messages.