Error adding a venue admin if user does not exist

[CHTJonas]

Attempting to add a new admin for a show/venue/society with an unregistered email address returns a HTTP 500 error.

[2018-07-25 22:46:19] request.INFO: Matched route "post_venue_admin". {"route":"post_venue_admin","route_parameters":{"_controller":"Acts\\CamdramBundle\\Controller\\VenueController:postAdminAction","_format":"html","identifier":"fitzpatrick-hall-queens-college","_route":"post_venue_admin"},"request_uri":"https://www.camdram.net/venues/fitzpatrick-hall-queens-college/admins","method":"POST"} []
[2018-07-25 22:46:19] security.DEBUG: Read existing security token from the session. {"key":"_security_public","token_class":"HWI\\Bundle\\OAuthBundle\\Security\\Core\\Authentication\\Token\\OAuthToken"} []
[2018-07-25 22:46:19] security.DEBUG: User was reloaded from a user provider. {"provider":"Symfony\\Bridge\\Doctrine\\Security\\User\\EntityUserProvider","username":"charlie@charliejonas.co.uk"} []
[2018-07-25 22:46:19] request.CRITICAL: Uncaught PHP Exception Symfony\Component\Debug\Exception\UndefinedFunctionException: "Attempted to call function "ereg_replace" from namespace "Acts\CamdramBundle\Controller"." at /var/www/camdram/production/releases/4/src/Acts/CamdramBundle/Controller/OrganisationController.php line 301 {"exception":"[object] (Symfony\\Component\\Debug\\Exception\\UndefinedFunctionException(code: 0): Attempted to call function \"ereg_replace\" from namespace \"Acts\\CamdramBundle\\Controller\". at /var/www/camdram/production/releases/4/src/Acts/CamdramBundle/Controller/OrganisationController.php:301)"} []
[2018-07-25 22:46:19] security.DEBUG: Stored the security token in the session. {"key":"_security_public"} []

This should probably send a link to the email and invite that person to register a user account, or similar. Possible slight GDPR concerns here as someone could in theory abuse this to find valid email address.

[philosophicles]

GDPR concerns aside for a moment, this definitely used to work, in exactly the way you describe @CHTJonas - the invited email address showed up under 'Pending Admins' and the person was emailed to suggest they sign up. As soon as a user account was created with the right email address, it all hooked up and they got society/whatever admin rights immediately.

As for GDPR - the only people who can use this approach to add a new admin are existing admins. So they have to be not just registered users (not just any random internet bot), but registered users that someone already trusts IRL to be sensible. I think the risk of abuse is thus sufficiently low...? (No criticism for giving it consideration though!)

[CHTJonas]

Fab ok - I've removed the GDPR tag. Maybe adding new admins to shows could be something that only users who have confirmed their email address can do?

[philosophicles]

That seems sensible. Possibly even could go further - need to have a confirmed email address before one can get admin powers for a show/society/venue in the first place?

Though in practice I think there's a pretty simple 'chain of trust' that goes on with entity administration, so it's really pretty low risk in general, confirmed email or not.

[CHTJonas]

As @GKFX mentioned in #610, this issue now seems to only affect venue admins. I closed that ticket in favour of this just because there was slightly more discussion here.

[GKFX]

Sentry issue: CAMDRAM-WEB-9V