Invitation can cause users to be erroneously and transparently added to private message
Package
Discourse
(Discourse)
Affected versions
stable <= 2.8.10; beta <= 2.9.0.beta11; tests-passed <= 2.9.0.beta11
Patched versions
stable > 2.8.10; beta > 2.9.0.beta11; tests-passed > 2.9.0.beta11
Impact
In some rare cases users redeeming an invitation can be added as a participant to several private message topics that they should not be added to. They are not notified of this, it happens transparently in the background.
Patches
Patched in the latest version.
Workarounds
Set
SiteSetting.max_invites_per_dayto 0 until the patch is installed.