Unsolicited Email via Teams

[broman]

Being able to add people to a team by their username#discriminator seems like a bad idea. While some people have their emails publicly available, that's not the case for everybody.

Example:

Just seems way too easy to send email to any Discord user.

[LewdCode]

This could also be abused to send messages to someone who has blocked a team owner, if they change the team name to a message

[msciotti]

This functionality actually already exists within the developer portal in the Application Whitelist portion of an app, although it's a very niche feature and therefore not a lot of people use it/know about it.

We've had numerous discussions internally about how to handle this. Do we gate team invites behind being friends with whoever you're inviting? No, "friends" on Discord are not super discoverable to begin with, and we didn't want to punt people back to the app.

What about inviting by email? Possibly, as then you at least have to know the user's email before sending them an email. However, there's a very real chance that devs working together on Discord - especially hobbyists and not game devs/large bot devs - would not know each others' emails.

Sending the invites is fairly well rate-limited; we had spam via this vector last year. And you can't invite the same user more than once unless you're revoking their pending invite and then sending them another.

Sorry for the lots of words, but wanted to just outline thinking. As with all things, we'll monitor the usage of team invites. If we see a pattern of abuse emerging, we'll make sure to handle it swiftly. I know this didn't give a definitive will change/won't change, but we are thinking about that and will be monitoring it.

[broman]

@msciotti Thanks for the response, it does seem like a catch-22. Hopefully this won't be abused too much. Thanks again

[eritbh]

Out of curiosity, is it possible to just not send an email for invites to teams owned by blocked users? That seems to me like it would at least mitigate the case @LewdCode brought up, and wouldn't make it any harder for legitimate requests to be made - plus, if for some reason you want to accept an invite from a user you have blocked, you can temporarily unblock them and then accept the request.

[trinitrotoluene]

I'm wondering whether it wouldn't simply be more prudent to restrict the ability to invite users to a team to friends only, or at the most users with whom you share a mutual friend.

Since depending on the answer to #792 you could be exposing yourself to a fair amount of risk by inviting users to a team, I don't think this is as much of a restriction of use-cases as it sounds initially.

As a by-product of this you'd also eliminate the ability to send users that have you blocked unsolicited email messages.

[shikhir-arora]

Maybe adding an option to either the client (since there's options for a lot of settings already) or in the user's developer portal that allows one to set a simple "allow invites from users to teams" -- if that's not checked, then inviting such a user could simply throw a message like "User wumpus#0001 has not enabled team access" or something along those lines. And as has been mentioned, developers would almost certainly know that user and then be able to DM them and ask/remind them to enable the setting. They could also turn it off right after if they just wanted it to be a one-time thing. Might be a bit complex, but it could make sense.

[msciotti]

@shikhir-arora the complexity really is the question. I know whenever I've working with dev tools, I get annoyed if I'm constantly bounced around a product or given arcane instructions to enable something tucked far away in settings. As this behavior is already established within the Dev Portal, we're not immediately concerned. But, as mentioned, we'll continue to monitor 👍

[noahrasor]

Closed#100

On Wed, Jan 9, 2019, 1:59 PM Mason Sciotti <notifications@github.com wrote:

@shikhir-arora https://github.com/shikhir-arora the complexity really is the question. I know whenever I've working with dev tools, I get annoyed if I'm constantly bounced around a product or given arcane instructions to enable something tucked far away in settings. As this behavior is already established within the Dev Portal, we're not immediately concerned. But, as mentioned, we'll continue to monitor 👍

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/discordapp/discord-api-docs/issues/795#issuecomment-452801205, or mute the thread https://github.com/notifications/unsubscribe-auth/AiVV0BLEGHsgSRVwDWzg8RSePQeOV8IVks5vBjwagaJpZM4Z2i8p .