Group and Project Invitation Links should Expire if not Accepted during a Sufficient Time Window
Unlike password-reset links, namespace invitation links do not expire. In case a given user doesn't accept an invitation right away, the invitation will remain valid for an unlimited amount of time. This behavior can lead to a build-up of unaccepted group/project invitations over time. Furthermore, confused maintainers/owners/administrators will fail to appropriately remove access once the member/employee has been off-boarded, as e-mail invitations for a not-yet-existing user are not listed under memberships in the user's admin interface.
Let's consider a group or project
N, a project owner
O and a user
U with e-mail
[email protected] without an account on a given GitLab instance. When
[email protected] to join
N by e-mail as shown below:
[email protected] will receive an invitation that does not seem to expire:
[email protected] creates their account, they'll be able to accept the invitation:
Once accepted, the invitation will cease to exist:
However, if the user doesn't accept the invitation right away, it will remain valid for an unlimited amount of time. This behavior can lead to a build-up of unaccepted group/project invitations over time as shown below:
In the case of companies or teams within companies, this is problematic, as off-boarded members will retain access to the respective projects, by virtue of their invitations being in a pending state.
Owners, maintainers and admins may fail to review pending invitations during off-boarded of said employees, which would effectively retain access to projects.
Moreover, a malicious member could try to trick
O by requesting to be invited via similar-looking e-mail addresses
Then gain access through one, which will thus become unusable, and keep the other one(s) to regain access at a later point in time, even after they have been off-boarded.
Steps to reproduce
As described above
What is the current bug behavior?
Group and project invitation links do not expire automatically if not accepted after a certain amount of time.
What is the expected correct behavior?
Group and project invitation links should expire automatically if not accepted after a certain amount of time (7 days?)
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Same as memberships can expire, and this is regularly enforced by going over the project memberships table, stale invitations should be purged as well.