search

toeverything / AFFiNE

There can be more than Notion and Miro. AFFiNE(pronounced [ə‘fain]) is a next-gen knowledge base that brings planning, sorting and creating all together. Privacy first, open-source, customizable and ready to use.
https://affine.pro
Other
40.06k stars 2.58k forks source link

​Self-hosted: Invite email link can be re-used, potential DoS #6889

Closed dennorske closed 1 month ago

dennorske commented 3 months ago

What happened?

When a user is invited to the platform, the user who receives the invite can re-use the invite link multiple times. Every time the user uses that link, a new email is sent out to the person who invited him, to inform that the invite was accepted.

Steps to reproduce

  1. Invite a new user
  2. New user rapidly spam-clicks the invite link (opens multiple tabs).
  3. The equivalent amount of emails are sent to the inviter, to inform the user has accepted the invitation.

See the attached screenshot for a sample:

image

Distribution version

Linux

What browsers are you seeing the problem on if you're using web version?

No response

Are you self-hosting?

Relevant log output

No response

Anything else?

No response

affine-issue-bot[bot] commented 3 months ago

Issue Status: 💡 Open

💡 Open

We want to implement the fix or feature in the near future. We can’t promise it will appear in the next public release, but it’s on our short list.

This is an automatic reply by the bot.