Funkwhale invites do not permanently expire after being used for signup and can be used again if the user is deleted
Hi,
I'm creating this issue as confidential as it could have a security impact on already deployed instances. Are invites supposed to expire after being used or they are intended to be associated with a signed-up user? Because I've discovered the following issue:
- Deploy latest version (1.2.8)
- Create an invite for an user
- Send the invite to the user and make them sign up
- The invite is marked as
used - Make the user delete their own account
- The invite will be now marked as
not used - The invite can be used to sign up to a different account
This can be repeated indefinitely with the same invite as long as the account is deleted