[$250] Inviting users to a group: issue an token and validate accept invitation link

[atelomycterus]

Any user who knows the accept invitation link format can join groups including private after authorization. It could present a security hole into Vanilla. So before using this functionality with private groups in PROD, need to issue a token/generate invitation code and validate it.

[jmgasper]

@atelomycterus - Thanks for that

@sdgun - I have disabled the ability for copilots to send invites to groups in prod for the time being.

[jmgasper]

Challenge https://www.topcoder.com/challenges/a6d96cd4-6b47-4172-8534-5252208d1860 has been created for this ticket.

This is an automated message for ghostar via Topcoder X

[jmgasper]

Challenge https://www.topcoder.com/challenges/a6d96cd4-6b47-4172-8534-5252208d1860 has been assigned to obog.

This is an automated message for ghostar via Topcoder X

[atelomycterus]

@jmgasper I added $Configuration['Plugins']['Groups']['InviteExpiration'] , Now the value is 20 mins for testing. So @sdgun can test it, not to wait long. Use '+1 day' or another value for PROD.

Changes

Unique token is generated. Only an invitee can use it. If the token is valid then the user is redirected to a group. If the token has expired:

In other cases, general error should be displayed:

Please apply PRs:

• Issues-449: added GroupInvitation table #450.
• Issues-449 forums-groups-plugin#63
  Thanks!

Settings

// e.g. '+15 min', '+1 day'
$Configuration['Plugins']['Groups']['InviteExpiration']= '+20 min';

Let me know if you need

1. List of all pending/accepted invitations for a group
2. Decline an invitation from an email. Now an accept link only in email
3. Delete an invitation
4. See all group invitations in Vanilla User Profile and accept/decline them
5. Deleting expired invitations. Now I don't delete them. Maybe it will be needed for history
6. Resend an invitation again
7. ....