Navigating to another user's 'invites' page leads to portfolio page without redirect message
Someone invited me to a hidden commons group, but she invited the wrong account -- username matttestaccount instead of username admin. When I clicked on the link in the email to "Accept pending invitations by visiting your Manage Invitations page," I came to a page where I could see that account profile, but I was already previously logged into the system under my admin account. I would have expected the system to tell me that the group invitation was for a different account and to give me the option to log in or accept it through a different account or something else, but it did not. Screenshot attached of what I saw when I clicked on the "visiting your Manage invitations page" . I don't know whether this has something to do with the fact that my admin account has superadmin privileges.
#1 Updated by Boone Gorges over 3 years ago
- Subject changed from Invitation snafu to Navigating to another user's 'invites' page leads to portfolio page without redirect message
- Assignee changed from Boone Gorges to Raymond Hoh
- Target version set to 1.13.11
This does appear to be linked to the fact that you're logged in as a different account, not necessarily a super admin. I've confirmed that tttempting to visit members/foo/invites when logged in as a user other than foo, you're redirected to the user's profile (/members/foo/). This is intended behavior: https://github.com/cuny-academic-commons/cac-onboarding/blob/faa5510880538dec14caf065d2446f3afd4dfbfb/src/Frontend.php#L50 I think the missing link here is that our portfolio template doesn't appear to show template notices, so you don't get the 'You do not have access to that page' message. I guess I'd suggest that we add support for these messages to this page (with appropriate styling), since this is a problem that may arise in contexts other than cac-onboarding. Ray, could you let me know what you think, and if this sounds good to you, go ahead and make the change? Pass back to me if the cacap templates are confusing :-D
Note that this only arises for people who receive invitations at an account other than the one they're logged in as. Thus, it's very unlikely to come up in other circumstances.
#2 Updated by Matt Gold over 3 years ago
I guess I had been thinking about something we built into the invitation system when people were invited by email but the invitation went to a different email address than the one used by a member of the Commons. I remember there being a way to transfer the invitation to another account. I don't know whether we considered this use case, where someone might have two accounts and the wrong one was invited. It is probably not all that common of a use case, and most people (I think) have only one account.
#3 Updated by Boone Gorges over 3 years ago
The invitation system covers the case where you are a member of the commons with firstname.lastname@example.org, and I send you an invitation at email@example.com, and you want to "claim" the matt1 invitation for the matt2 account. There's nothing covering the case where one account may want to claim an invitation sent to another account (as opposed to email address).
It would be possible to add this, since we generate "claim keys" for all invitations. But IMO it's a bad idea - it's relevant for a very small subset of our user base, and would only confuse if we mentioned it in the email text.
#5 Updated by Raymond Hoh over 3 years ago
- Status changed from Assigned to Staged for Production Release
To address the template notices, I've done the following:
- Show template notices when on the Commons profile (the
- Fix a bug where template notices may not show up (the
cac-onboarding so invalid access requests are sent to the displayed user's Activity page instead of the main page because of the