You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cross-PR review 2026-06-11 β BLOCKING gate before widening create Invitation to regular users (the referral phase, #5):
InvitationService.list() is find({}) β platform-global, returns every invitee email. The account "My referrals" tab already labels it first-person. The moment regular users gain the ability, this is a PII leak. Fix: invitedBy-scope the list for non-admins (or a dedicated /api/invitations/mine), keep the global list admin-only.
Add a self-referral guard (alternate-personal-email self-invites become valuable once adapting to frontΒ #5 grants credits).
Cross-PR review 2026-06-11 β BLOCKING gate before widening
create Invitationto regular users (the referral phase, #5):InvitationService.list()isfind({})β platform-global, returns every invitee email. The account "My referrals" tab already labels it first-person. The moment regular users gain the ability, this is a PII leak. Fix:invitedBy-scope the list for non-admins (or a dedicated/api/invitations/mine), keep the global list admin-only.!config.sign.up, so on asign.up:truedeployment the entire referral substrate silently no-ops (no referredBy, no invitation.accepted) while the Referrals tab keeps soliciting invites. Fine for closed-beta Trawl; must be resolved (finalize-without-claim on open signup, or hide the tab) before any open deployment uses referral.Refs: β¨ Referral hook backend β referredBy + invitation.accepted (Node, P8a)Β #3814, β¨ Referrals account view scaffold (Vue, P8b)Β Vue#4282, epic π― Decouple invitations from organizations (referral-ready platform invitations)Β #3808.