From 73c8a31dd2ad3bada2d79fa5c50fdcc1b176aa51 Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez Date: Fri, 28 Jul 2023 18:34:54 +0200 Subject: [PATCH] Invite page: document the security implication of all options Also move the "invitation link" option first, because it's the preferred way to give access to people that only need to handle participants and bills. Sharing the identifier and private becomes the last option, because it gives full access to changing settings. --- ihatemoney/templates/send_invites.html | 29 ++++++++++++++------------ ihatemoney/tests/budget_test.py | 2 +- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/ihatemoney/templates/send_invites.html b/ihatemoney/templates/send_invites.html index cf6797b7..46a2f239 100644 --- a/ihatemoney/templates/send_invites.html +++ b/ihatemoney/templates/send_invites.html @@ -7,20 +7,10 @@ -

{{ _('Share Identifier & code') }}

+

{{ _('Share an invitation link') }}

- {{ _("You can share the project identifier and the private code by any communication means.") }} -
- {{ _('Identifier:') }} {{ g.project.id }} - - - - -

{{ _('Share the Link') }}

- - - {{ _("You can directly share the following link via your prefered medium") }}
+ {{ _("The easiest way to invite people is to give them the following invitation link.
They will be able to access the project, manage participants, add/edit/delete bills. However, they will not have access to important settings such as changing the private code or deleting the whole project.") }}
{{ url_for(".join_project", _external=True, project_id=g.project.id, token=g.project.generate_token()) }} @@ -41,13 +31,26 @@

{{ _("Specify a (comma separated) list of email adresses you want to notify about the - creation of this budget management project and we will send them an email for you.") }}

+ creation of this budget management project and we will send them an email with the invitation link.") }}

{% include "display_errors.html" %}
{{ forms.invites(form) }}
+ + +

{{ _('Share Identifier & code') }}

+ + +

{{ _("You can share the project identifier and the private code by any communication means.
Anyone with the private code will have access to the full project, including changing settings such as the private code or project email address, or even deleting the whole project.") }}

+

+ {{ _('Identifier:') }} {{ g.project.id }} +
+ {{ _('Private code:') }} {{ _('the private code was defined when you created the project') }} +

+ + diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py index 1b979223..89efeb2d 100644 --- a/ihatemoney/tests/budget_test.py +++ b/ihatemoney/tests/budget_test.py @@ -167,7 +167,7 @@ class BudgetTestCase(IhatemoneyTestCase): self.login("raclette") self.post_project("raclette") response = self.client.get("/raclette/invite").data.decode("utf-8") - link = extract_link(response, "share the following link") + link = extract_link(response, "give them the following invitation link") self.client.post("/exit") response = self.client.get(link)