invite link invalidated by attempt to use it while logged in

[joriki]

Summary

Following an invite link while logged in as another user invalidates the link but doesn't allow the new user to sign up.

Steps to reproduce

-- Using Mattermost server 5.13.2:
-- Enable email invitations (System Console > Authentication > Signup > Enable Email Invitations)
-- Invite someone by email (switch to team, Burger Menu > Send Email Invite) (e.g. invite yourself via another email not yet known to Mattermost)
-- Click on the link in the invitation email while logged in as another user (in my case system administrator, don't know whether that matters)

Expected behavior

Either it should be possible to sign up as the new user despite already being logged in; or, if not, there should be a message saying that signup only works when you're not logged in; most importantly, in the latter case, the invitation link shouldn't be invalidated by this failed attempt.

Observed behavior (that appears unintentional)

The link doesn't lead to the signup page but to the normal user interface for the user who's already logged in; there's no indication of a failed signup attempt. If you now log out and try to use the invitation link again, it doesn't work anymore (though this only becomes apparent after you've filled in the form and try to submit it). A look at the database confirms that the invitation token is deleted on the first attempt.

[amyblais]

Hi @joriki, I opened a bug ticket here: https://mattermost.atlassian.net/browse/MM-17896. I think this behaviour has existed for a while.

[joriki]

Hi @amyblais,

I just saw Miguel's comment on the bug ticket. I'm responding here because I can't reply there. Miguel writes:

Turns out that this is a contemplated use case. If a user that is currently logged in uses an invite link, they will be added to the team that the invitation belongs to. If the user already belongs to the team that the invite is for, the invite will be consumed and will cause no effect on the user.

This makes some (I believe invalid) assumptions about how people use computers. It doesn't work if two people share a computer (e.g. if they live together, or temporarily during a visit, or in an internet café) and one user (perhaps accidentally) remains logged in and another user (of the same computer) doesn't know this. It also doesn't work if for some reason the same user wants to have two accounts in the team (as in my case: I wanted to have an admin account and a non-admin account).

More generally speaking, it seems like a bad idea to me to interpret a link sent to a specific email address (and containing that email address) as pertaining to some user who happens to be logged in in the browser but isn't known to have any connection to that email address, and applying an operation that was intended for the owner of that email address to that potentially unrelated user instead.

[wiersgallak]

@joriki Thank you for bringing this to our attention. Since this was the original design of the feature and there is a work around of logging out of the first session on the computer after sending a refreshed invite link, any changes to this flow would be considered an improvement and would need to be scheduled for future work.

I agree that the current behavior is not especially obvious and does not consider all the use cases of how users share computers. Thus, I am going to convert this bug to a story and add some notes for us to consider when we are able to review the invite flow again in the future.

To clarify the scenario of a sharing a public computer like in an internet cafe, if a new user logs in there are mechanisms in place for different logins not to share any information, browser history, sessions and that sort of things included.