Received invitation email but no notification on ecampV3 itself

Question

Received invitation email but no notification on ecampV3 itself

Closed this issue 7 months ago · 1 comments

No notification about a camp invitation...

But I got a mail with the invitation:

Answer 1 · 2024-02-20T03:09:36.000Z

Thanks for taking the time to report this. This is by design, but maybe we can improve it.

In eCamp v2, you were able to invite specific accounts. You could search for accounts by name or email, and the invitation was bound to that specific account (only this account could accept the invitation).
Problems with this approach:

In some cases, users forget their login and create a new account, even though they could easily use the password reset feature
In some cases, users lose access to their email address, and eCamp v2 wouldn't let you change your email address, again leading to people creating multiple accounts
Due to the duplicate accounts, you sometimes had to just know which account of a person was the active one
The search feature exposes all users and emails

So for eCamp v3, we chose a different approach, inspired by the invitation process of dropbox and others: You can no longer invite accounts, but rather you can invite email addresses. To invite someone, you just have to know ANY email address which they own, not specifically the one they used for the eCamp account. And anyone who receives an invitation email can accept the invitation with any eCamp v3 account they own.
It's even possible to forward the email, so in case e.g. an invitation email never arrives at young-leader@example.com, you as camp leader (Hauptleitung) can instead send an invitation to your own email address and forward it to the young leader, or let them accept the invitation on your device.

However, we already weakened the strictness of this concept, by displaying the avatar and name on the invitation if an account exists with the invited email address. Maybe in this case we could also display the invitation to the invited user in the UI. I think this would not compromise security because we require verified email addresses for accounts, but I'm not 100% sure yet.