Closed (outdated)
Project:
Invite
Version:
master
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
18 Jul 2008 at 13:08 UTC
Updated:
27 Jun 2018 at 13:33 UTC
Jump to comment: Most recent
Observation as much as anything. I see that this is by design however, site dependant, it strikes me there could be a privacy issue.
The following recipient is already a member:
johnthomas (jthomas@example.com)
My quick fix is to amend line 806 (5.x-1.9) to $failed_emails[$key] = check_plain($email);
Comments
Comment #1
smk-ka commentedErm, I don't really understand where you see security implications here. You already know the user's e-mail address (since you just typed it in), everything that's revealed now is the user account that the address belongs to.
Consider the regular case, when the user isn't yet registered: upon registration, you will receive a similar message ("johnthomas (jthomas@example.com) has joined foo.com!"), which - again - reveals the connection between the e-mail and user name. Do you have a use case when this connection shouldn't be revealed?
Comment #2
bobdalob commentedIt's just that I don't know other sites where you can reveal the corresponding username by entering an email address which is in essence what one does with an open registration site using the invite module.
Made-up example: I suspect an employee of writing what he thought were anonymous comments about me as an employer, on a drupal-based employee support site. If I 'invite' all my employees by their known email addresses, all of those who are registered on said site will be revealed to me by username and I can then not only see exactly what they're saying about me or my company - I can see who said it! I'm not sure all users of all drupal sites (using invite) would realise that.
I'm sure that for most it is not a concern - I just thought it was a point worth raising and I happily leave it there. I think it's a bit different when an invitee registers with an invite - it most likely indicates the invitee knows the inviter, or at least the invite is knowingly accepted.
Comment #3
smk-ka commentedThanks for your insight, that's definitely a more interesting issue than I first thought.
The 2.x branch of this module is taking a whole different direction, by adding the possibility to track who invited whom (albeit backed by a user permission, so it could easily be turned off). But yeah, given your example I now can imagine that it should indeed be possible to make Invite even less chatty. I'll check whether tokenized notification messages could come to a rescue here, which would allow admins to specify exactly how much information should be revealed.
Comment #4
kenorb commentedThe same problem.
Comment #5
pacman2009 commentedhow do I add existing member as my friend using invite module? "Invite friend" link can be only useful when you invite non-member to join the site.
Comment #6
kenorb commented#124711: Adding buddy that's already a member of the site doesn't work
Comment #7
kenorb commentedDrupal 6 is no longer officially supported. If you think this issue is still relevant for 8.x, feel free to re-open.