[FIXED] Privacy issue: invited members bypass moderation and group rules!

Sperber

Member
truonglv ,
another issue found: when a user has been invited into a group where joining users have to be moderated by the group settings, those invited users bypass the moderation and instantly become added to the group with full read & write access. This is a serious privacy issue and I´ld like to urge you to fix this.
 
That kinda weird flow for users. User receive an invitation then accept and still waiting a confirmation from moderator?

Anyway. I have remove invited state as valid so invited members cannot access as a valid member.
 
That kinda weird flow for users. User receive an invitation then accept and still waiting a confirmation from moderator?
TotoroNo, that´s not weird - that´s the usual behaviour of any group function out there when it comes down to closed groups. For open groups this ain´t a problem, as the whole group content is public anyway. But in closed groups you may be have content, you don´t want to show off to the public or others without your consent as group admin. The point why this option now became a problem for closed or secret groups is, that your add-on is lacking of two optional preferences in the group privacy settings:

- Allow group members to invite others... (going to group moderation queue - no read/write access)​
- ... and allow invited members to bypass join request moderation. (no moderation, direct access- full read/write access)​
 
Have you adressed and fixed that problem, as it´s violating the GPDR and exposes us as site owners to the risk to become sued?
 
It's changed. Now every invited members when they accept the invitation will go to moderated and waiting for admin approve it.
 
Back
Top