FEATURE: Retrieve an existing link only invite (PR #12575)

In Improve invite system, a newly created link only invite cannot be retrieved via API with the invitee’s email once created. A new route, /invites/retrieve, is introduced to fetch an already created invite by email address.


I wasn’t really sure on the endpoint name, or if I could merge the behaviour into an existing endpoint.

This pull request has been mentioned on Discourse Meta. There might be relevant details there:

I think this test is only failing because there is no record. We need to add the action to requires_login

Hi, thanks for your PR which is overall great. Invites need to be held to a high security standard though so I’ve made some comments about how to harden this new endpoint.

This should be a get action because no state is being modified.

I recommend we add a guardian method here, like ensure_can_invite_to_forum - there is some security built in because it will only retrieve an invite you created, but I would like to ensure you can invite people too.

Compared to all the other tests I’m looking at, this looks to be correct, and tests didn’t fail here, do you have more details?

If you look here:

You will see that other actions in the controller are added to requires_login so they can be authenticated. Your test is not failing, I believe, because the record you are looking for does not exist. You could confirm this by having your test run after that record is created (but still not logged in.) It should fail.

Ah, I see, I was looking in the tests source code, sorry! I’m new to everything Ruby, pushed a fix

Looks good now, thank you!