search

gitcoinco / web

Grow Open Source
https://gitcoin.co
Other
1.78k stars 771 forks source link

A user is able to add any other user as a member of their Grant's team #8380

Open gdixon opened 3 years ago

gdixon commented 3 years ago

Describe the bug

As demonstrated here: https://gitcoin.co/grants/1945/gitcoin-grants-round-9-dev-fund-2, a user/scammer is able to add any other user to their Grant without approval or verification. This offers the user/scammer legitimacy and might make it more likely for victims to fall foul of scam Grants.

To Reproduce

Expected behavior

Each user listed under a Grant should have to accept a request to be part of the Grants team, they should not be displayed to any other user or join team_members until they have accepted.

Screenshots

Screenshot 2021-02-11 at 02 05 02
thelostone-mc commented 3 years ago

I did build something similar but we retired that eventually https://github.com/gitcoinco/web/pull/3366

nopslip commented 3 years ago

What about something like this:

1) user adds new member(s) to the grant using existing TEAM MEMBERS drop down from edit grant window

2) if/when SAVE CHANGES is pressed backed end will queue and send send 'invitation to join Gitcoin Grant XYZ' email to address(es) connected to those accounts.

Similar to a password reset email or something, if the link to approve is not clicked nothing happens. If they do click it could auto approve or take them to a page with more info about the grant where it can be approved. Some UX would be helpful to guide the user though this as well but it feels like a clean and efficient way to implement approvals with minimal overhead.

What you do you guys think?

PixelantDesign commented 3 years ago

Yes! Like this idea. Will take a look at this today.

PixelantDesign commented 3 years ago

Here is a draft

Edit Form

Screen Shot 2021-03-17 at 12 07 37 PM

Grant detail display

Screen Shot 2021-03-17 at 12 07 53 PM

Email confirming user has accepted

Screen Shot 2021-03-17 at 12 08 45 PM

Email confirming user has been invited to join

Screen Shot 2021-03-17 at 12 08 05 PM

This means all grants created with have pending team members.

nopslip commented 3 years ago

Looks good to me!

One other thing that occurred to me is that there should be probably some kind of limiter put in place so prevent the backend from spamming invitees. For example, if a user - [added, saved, removed, saved, re-added, saved] we don't want to generate an email each time. Also, if a user gets removed we would probably need to make sure the invite is no longer valid.