Jaymassena
commented
7 years ago No progress on this but I have limited the surface area:
Only the inviter can update the whole invite. We use this to support updating an invite. For example, I could invite Mary again with an additional channel. If there is already an invite for Mary and the same group, it will be updated and email sent again. This is also a way to support resending an unchanged invite.
Group members who are not the inviter can only update three properties: status, accepted_by, and accepted_at. Malicious property updates could happen but the extent of possible damage is limited since none of these properties trigger an actions. Worst case is that the information the inviter sees for an invite is incorrect. Setting status to accepted also prevents the invite from being used again so the correct invitee would be blocked from using the invite. Once an invite status is marked as accepted, it can not be changed again.
We would like to limit invite updates to just the inviter and the invitee but the only way to do that would be to require that invitees to use the same email for their account that was used for the invite. I didn't require that in general because the invitee might have been reached via an inappropriate or stale address.