#### moderated Expire invitations after 14 days

Bruce Bowman

It's my understanding that invitations currently never expire and have to be manually canceled by a group admin. I'd like to suggest that invitations automatically be removed from the list after 14 days. This would be consistent with the behavior for applicants and messages in Pending.

Why? Besides, the convenience factor, I just don't like the idea of sending out an active link via email and have it continue to work forever.

Thanks for your consideration,
Bruce

On Tue, Apr 13, 2021 at 9:20 AM Bruce Bowman <bruce.bowman@...> wrote:
It's my understanding that invitations currently never expire and have to be manually canceled by a group admin. I'd like to suggest that invitations automatically be removed from the list after 14 days. This would be consistent with the behavior for applicants and messages in Pending.

This is a good idea. I'm adding it today.

Thanks,
Mark

Kathi M

I totally dislike this suggestion and that it was implemented without asking any other managers.   I use that list to resend invitations to people because I have found that some people miss the initial invitation.   My group is for a High School Reunion.    I now have to reenter all the email addresses and names of those I invited.

Duane

On Thu, Apr 15, 2021 at 09:39 AM, Kathi M wrote:
I totally dislike this suggestion and that it was implemented without asking any other managers.
Mark is allowed, he owns the site. ;>)

Maybe if the invitation status changed to expired instead of being deleted it would be less of a jolt.  Not sure how much extra work that would be though.  For me, 2 weeks is plenty to deal with invitations.  If they haven't accepted by then, I've found that they probably won't.  If they 'complain', I can always send another.

Duane

Hi All,

I've made the following changes:

- We no longer will delete invites after 14 days.
- Invite links will expire 24 hours after the invite has been sent. That means clicking the link or replying to the invite email will no longer work, and you'll get an error message instead.

Please let me know if you have any questions.

Thanks,
Mark

Donald Hellen

Mark . . .

On Thu, 15 Apr 2021 13:53:17 -0700, "Mark Fletcher"
<markf@corp.groups.io> wrote:

- Invite links will expire 24 hours after the invite has been sent. That means clicking the link or replying to the invite email will no longer work, and you'll get an error message instead.
I know of plenty of people in my groups who don't check their email on
a daily basis. I'm one of those myself when I come home from work and
go directly to bed, skipping my afternoon or evening email catch-up.

This won't work well for those people. By the time they see it,
assuming they skipped a day for whatever reason (vacation away from
the grid, sickness, internet connection faulty that day, etc.), it
will be too late.

Sure, they can contact the group owner address, but can we really
expect that of some people who find something we think of as simple to
do online as intimidating?

I hope this is reversed. If not, I can see some groups having problems
with this.

Donald

----------------------------------------------------
Some ham radio groups you may be interested in:
https://groups.io/g/ICOM https://groups.io/g/Ham-Antennas
https://groups.io/g/HamRadioHelp https://groups.io/g/Baofeng
https://groups.io/g/CHIRP https://rf-amplifiers.groups.io/g/main

Malcolm Austen

On Thu, 15 Apr 2021 21:53:17 +0100, Mark Fletcher <markf@corp.groups.io> wrote:

Hi All,

I've made the following changes:

- We no longer will delete invites after 14 days.
- Invite links will expire 24 hours after the invite has been sent. That means clicking the link or replying to the invite email will no longer work, and you'll get an error message instead.

Please let me know if you have any questions.

I'd like to question the logic in the 24 hour expiry setting Mark. In my experience not everyone reads their email daily. I would suggest that one, maybe even two, weeks is a better figure for expiring the invitation. That allows time for someone to see the invitation some days later, query it's validity, and then still accept without a repeat being sent out.

Malcolm.

--
Malcolm Austen - email: malcolm.austen@...

Duane

On Fri, Apr 16, 2021 at 03:19 AM, Malcolm Austen wrote:
I'd like to question the logic in the 24 hour expiry setting
I believe this is related to another problem that some folks have seen.  If the invitation is forwarded or posted, anyone clicking the link has access to the invitees account.  IIRC, there was a similar problem with the links in the 'resume' email when removed for spam.  In that case, the expiration was changed to 7 days to allow time to be used.  My preference would be 3 days maximum on both before expiring to minimize the time for possible problems, but because of each person's email checking habits, I'm not sure what the optimum time would be.  Whatever time is used, it will be a compromise between making it easy for the link to be used and the security of the account.

Duane

Andy Wedge

On Fri, Apr 16, 2021 at 09:19 AM, Malcolm Austen wrote:
I'd like to question the logic in the 24 hour expiry setting
To provide consistency with the link sent via the Email me a link to log in button I assume.

Andy

Jeremy H

While having invites last, unexpired, for ever is not desirable, having them expire after only 24 hours goes far too far to the other extreme. As others have said, many people - not just the less tech inclined - do not look at, or respond to e-mails every day - and it is unreasonable to expect them to do so. Nor is an invitation to join a group the sort of thing necessarily calling for an instant response.

So I would regard 14 days as a minimum, before they expire. And when they do, I would suggest that their status be changed to expired (or something like it).

Nor I do not think there should any subsequent automatic deletion (or at lest, not for years); rather they should stay (and able to be resent) until manually cleaned up (and a deletion tool to assist this, based on status and time, would be very useful),

Jeremy

On Thu, Apr 15, 2021 at 09:53 PM, Mark Fletcher wrote:
Hi All,

I've made the following changes:

- We no longer will delete invites after 14 days.
- Invite links will expire 24 hours after the invite has been sent. That means clicking the link or replying to the invite email will no longer work, and you'll get an error message instead.

Please let me know if you have any questions.

Thanks,
Mark

Kathi M

So if they get an error message, will it allow them to request subscription?

I’m going to have to admit that this was my initial reaction to the post too.
Twenty-four hours does seem too short.
Though having a ‘reasonable’ deadline is a good move.

On Apr 16, 2021, at 04:19, Jeremy H via groups.io <jeremygharrison@...> wrote:

﻿While having invites last, unexpired, for ever is not desirable, having them expire after only 24 hours goes far too far to the other extreme. As others have said, many people - not just the less tech inclined - do not look at, or respond to e-mails every day - and it is unreasonable to expect them to do so. Nor is an invitation to join a group the sort of thing necessarily calling for an instant response.

So I would regard 14 days as a minimum, before they expire. And when they do, I would suggest that their status be changed to expired (or something like it).

Nor I do not think there should any subsequent automatic deletion (or at lest, not for years); rather they should stay (and able to be resent) until manually cleaned up (and a deletion tool to assist this, based on status and time, would be very useful),

Jeremy

On Thu, Apr 15, 2021 at 09:53 PM, Mark Fletcher wrote:
Hi All,

I've made the following changes:

- We no longer will delete invites after 14 days.
- Invite links will expire 24 hours after the invite has been sent. That means clicking the link or replying to the invite email will no longer work, and you'll get an error message instead.

Please let me know if you have any questions.

Thanks,
Mark

Hi All,

I've changed the invite link expiry to 14 days.

Cheers,
Mark

Ginger Iorizzo

Thank you!
Could I ask that the list of sent invitations remains with some sort of indication that the invitation is expired?
That way, if an owner wants to resend after the 14 days, all the info is still there.
Thanks for all you do!
Ginger

On Apr 16, 2021, at 1:35 PM, Mark Fletcher <markf@corp.groups.io> wrote:

﻿
Hi All,

I've changed the invite link expiry to 14 days.

Cheers,
Mark

I fully agree Jeremy. In this case I also cannot see what the security problem
is which is supposed to be being solved. Only the invitee receives it, and even
if they ask for trouble by forwarding it to someone else, responding to it only
results in acceptance of the invitation by the original invitee. I don't see
how it can give access to his/her account or to the system to anyone else. It
isn't like a login link, which could do that.

Jim Fisher

On 16 Apr 2021 at 5:19, Jeremy H via groups.io wrote:

While having invites last, unexpired, for ever is not desirable, having them
expire after only 24 hours goes far too far to the other extreme. As others have
said, many people - not just the less tech inclined - do not look at, or respond
to e-mails every day - and it is unreasonable to expect them to do so. Nor is an
invitation to join a group the sort of thing necessarily calling for an instant
response.

So I would regard 14 days as a minimum, before they expire. And when they do, I
would suggest that their status be changed to expired (or something like it).

Nor I do not think there should any subsequent automatic deletion (or at lest,
not for years); rather they should stay (and able to be resent) until manually
cleaned up (and a deletion tool to assist this, based on status and time, would
be very useful),

Jeremy

On Thu, Apr 15, 2021 at 09:53 PM, Mark Fletcher wrote:

Hi All,

I've made the following changes:

- We no longer will delete invites after 14 days.
- Invite links will expire 24 hours after the invite has been sent. That
means clicking the link or replying to the invite email will no longer
work, and you'll get an error message instead.

Please let me know if you have any questions.

Thanks,
Mark

Jim,

I don't see how it can give access to his/her account or to the system
to anyone else. It isn't like a login link, which could do that.
The invitation email contains a link "accept the invitation" which IS effectively a login link. That is the problem that was reported, and which precipitated the shorter lifetime for the link.

While attempting to ask a question about invitations an invitee posted the text of a received invitation, including that link, on a public forum. I tested it, and it did indeed log me in to the invitee's account. I was able then to access the content of a private, restricted group of which the invitee happened to be a member (and I not).

Shal

On Mon, Apr 19, 2021 at 01:04 AM, Shal Farley wrote:
The invitation email contains a link "accept the invitation" which IS
effectively a login link. That is the problem that was reported,  ...
I noticed a similar security problem when my group first migrated to groups.io in 2019. I had set up a small task force to evaluate Mark's software before bringing all 1,000 members over from yahoo.com. Anyway, there's a footer at the end of every message distributed to my group:

-=-=-
Group Owner: main+owner@t-vog.groups.io
Unsubscribe: https://t-vog.groups.io/g/main/leave/[redacted]
-=-=-=-=-=-=-=-=-=-=-=-

During the exploratory period I noticed that people were posting replies to messages and quoting everything in the original message, including this "unsubscribe" link. This of course meant that any member in the group could unsubscribe the careless poster, if he wanted to, and knew how.

I believe I've educated my group members well enough that this never happens any more. At least, I haven't seen it in over a year. But careless people can definitely cause problems with "encrypted" links. Those ought not fall into the wrong hands. And it might make sense to strip them out of incoming messages from groups.io members. I told everybody this can only happen if you reply by email, and encouraged everybody to post their messages from the web site. But people are lazy, and sometimes careless. There's no way to "fix" that.
--
David Bryant
Canyon Lake, Texas
https://t-vog.groups.io/g/main    https://davidcbryant.net

Thanks Shal,

Yes, Bruce pointed this out to me. I didn't know it worked like that. Would it
not be better if it did not have that function, but simply required an email
reply? The recipient must already be using an email client to read the
invitation, so simply replying to it would accept the invitation but nothing
else. That would, I think, remove the need for any expiry date.

Jim

On 18 Apr 2021 at 23:04, Shal Farley wrote:

Jim,

> I don't see how it can give access to his/her account or to the system
> to anyone else. It isn't like a login link, which could do that.

The invitation email contains a link "accept the invitation" which IS
effectively a login link. That is the problem that was reported, and
which precipitated the shorter lifetime for the link.

While attempting to ask a question about invitations an invitee posted
the text of a received invitation, including that link, on a public
forum. I tested it, and it did indeed log me in to the invitee's
account. I was able then to access the content of a private, restricted
group of which the invitee happened to be a member (and I not).

Shal

Steven Knowles

Mark, so far an aspect of Groups.io I've liked is the fact that it doesn't seem to move the goal posts on existing members.

Unfortunately I've discovered that the goal posts do appear to have been moved on the subject of historical invitees. One of the nice features, as was with Yahoo! Groups, was the audit trail of past invitations. I've just gone to check when an individual of a group I manage was sent an invitation, and was puzzled that there seemed to be just one past invitation that was in the list. I spent a while trying to figure which options I needed to adjust in order to see historical invitations, to no avail. I came to this group to try figure out what the problem is. And now despondent upon discovering that it's all changed, and some really useful data from my perspective has seemingly been erased.

Does historical data about invitees still exist, or has it gone forever?

On Fri, Apr 23, 2021 at 2:27 PM Steven Knowles <emailus@...> wrote:
Mark, so far an aspect of Groups.io I've liked is the fact that it doesn't seem to move the goal posts on existing members.

Unfortunately I've discovered that the goal posts do appear to have been moved on the subject of historical invitees. One of the nice features, as was with Yahoo! Groups, was the audit trail of past invitations. I've just gone to check when an individual of a group I manage was sent an invitation, and was puzzled that there seemed to be just one past invitation that was in the list. I spent a while trying to figure which options I needed to adjust in order to see historical invitations, to no avail. I came to this group to try figure out what the problem is. And now despondent upon discovering that it's all changed, and some really useful data from my perspective has seemingly been erased.

The historical data on that page is now gone. But I am not deleting invites going forward.

On the group member page, I have added the origin for the member, after Joined via... at the top of the page, so you can see how that person ended up in the group.

Thanks,
Mark

 1 - 20 of 21