Closed danielmarschall closed 9 months ago
It is possible that anyone can receive an invitation, even if they were not assigned as RA to any object, just by entering "oidplus:invite_ra$xx$..." in the goto box. It should be somehow secured.
It turns out that this is already implemented with the method inviteSecurityCheck()
inviteSecurityCheck()
The admin itself may invite everyone, even people who have no OID (yet).
So everything's good. No security risk.
It is possible that anyone can receive an invitation, even if they were not assigned as RA to any object, just by entering "oidplus:invite_ra$xx$..." in the goto box. It should be somehow secured.