Summary
If config.invite_key is not configured to ensure a strict row unicity, invite! may send invitation to a random user / account.
Details
In models.rb L311, the instruction :
invitable = find_or_initialize_with_errors(invite_key_array, attributes_hash)
Will take the first existing row. In most of DBMS (at least all relational one), without explicit clause the order is unpredictable. So if many rows match the underlying find_by* query, we can't predict which one will be chosen.
Expected behaviour
That's a situation devise_invitable can't handle. The current implementation may hide bugs on devise_invitable user's code base.
if many existing invitable row match, the invitation process must stop, through an exception (I believe).
I will submit a PR to change that behaviour soon 😃
FYI @TristanBelin @bakster-jv
Summary
If
config.invite_keyis not configured to ensure a strict row unicity,invite!may send invitation to a random user / account.Details
In models.rb L311, the instruction :
Will take the first existing row. In most of DBMS (at least all relational one), without explicit clause the order is unpredictable. So if many rows match the underlying
find_by*query, we can't predict which one will be chosen.Expected behaviour
That's a situation
devise_invitablecan't handle. The current implementation may hide bugs ondevise_invitableuser's code base.if many existing invitable row match, the invitation process must stop, through an exception (I believe).
I will submit a PR to change that behaviour soon 😃
FYI @TristanBelin @bakster-jv