Preventing Users to invite others, is it possible?

I am experiencing this same issue.  Non admins can sent invite emails to anyone with this option, even though the site admin allow users to invite is turned off.  This is very bad!

This sounds like a huge information security loophole and a nightmare for Jira Admins that work for organisations that are careful about information security.
Surely "Invite team" should mean just that and not "Invite anyone in the world to team and give them a license as well"!
Is anyone in Atlassian responsible for closing security loopholes to whom we could forward this issue?

There's a new feature now that allows you to add trusted users to invite other users:

• Invite, Edit, and Add Users

Can you have a look and let me know what sort of permissions Person 2 has there?

Do you know what they did to trigger the invite email specifically?

Regards,

Shannon

Thanks for the feedback!

That Invite/Edit/Add page refers to permissions, which I don't see anywhere in the user management interface.

Person 2 is an external, non-staff user, with limited permissions. I don't know what they're doing, to generate this invitation.

David,

The permissions are available in Site Administration > User management > Users. When you click Show details next to the user, you'll see under Roles on the left which role they have.

Can you have a look and confirm that you see that?

Take a look at what role you have set for that user, and confirm with me what permissions you have set for them. I assume by "external" user you don't mean external to Confluence, but a licensed internal Confluence user which is external to your organization. Can you confirm?

Regards,

Shannon

Note: There seem to be different meanings of "Invite a user, which may be causing some confusion.

- When an administrator adds a new user, that's called inviting the user; as it sends a mail to that user for them to setup their own account.

- When an existing (non-admin) user invites a user they're asking that the user be given access / it results in the administrators being prompted to approve the access request.

I believe this question's referring to the latter scenario.

John,

Thank you so much for pointing that out! 

David, in that case, are the users themselves getting an invitation email, or is only the admin getting an email to approve access request? Can you show me what that email looks like for you?

Regards,

Shannon

Hi @Shannon S ,

I have the same question as Yanis and David.

I've used the Basic Role when inviting new users, the "Users can invite others" in Site Settings is unticked.

STILL, as a new user to that Confluence Cloud instance, the first step in my "Start up Confluence"-routine, I'm prompted to add emails beneath the question "Who's on your team?".

Is there anyway to detach this first step as a new user? Or does that step override all user management settings?

Best regards,

Marika

Hello Marika,

Thank you so much for your description. I realize now that it was this bug we reported, which turned out to be an expected behavior:

• ID-6734 Disabling the _Users can invite others_ tickbox still allows regular users to invite other people

I've found the following request to disable this option below:

• CONFCLOUD-65155 Disable the option to invite team members on the first login

@Yanis, my apologies for not realizing that this was the specific feature you were referring to.

The best thing we can do for this is to vote on the CONFCLOUD request which is still open. I will comment there with this thread so the developers will be able to see the feedback.

You can also submit your feedback directly from the menu within your Cloud instance, by clicking on your profile photo:

This will be sent directly to the development team for their consideration.

Thank you and take care!

Regards,

Shannon

Hi Shannon , 

What was the outcome for this issue ? Was it resolved ? 

I am also facing same issue, people who are not administrators are able to invite new people on jira.

what is the step by step procedure to stop users for inviting further other users ?

Thank you in anticipation. 

Muhammad,

Welcome to Atlassian Community! It's nice to meet you.

In my last reply, I mentioned that it was expected behavior, which was mentioned here:

• ID-6734 Disabling the _Users can invite others_ tickbox still allows regular users to invite other people

And I found the following request to disable this option below:

• CONFCLOUD-65155 Disable the option to invite team members on the first login

You can vote on the request above and you will be automatically added to the list of watchers.

Let me know if you have any questions!

Regards,

Shannon

Thank you. 

Wow.  This means that I can't use Confluence for my Partner Portal project because I don't want partners to be able to invite others (even if they don't get approved) - it is just unprofessional.

This is so disappointing when basic things don't work and then don't get fixed.

This sort of thing makes it very hard to be a champion for Atlassian. :(

I agree this is obnoxious.  

This inundation of "invited_user_A wants some_uninvited_colleague to join Confluence so they can work together. Here's some more information about them" messages is making my Atlassian administration experience miserable and confusing my users.

It is a shame this issue has not received attention.

Even when that is not checked, I still see loads of invites that can be generated by all roles of users

email comes in like

Summary: <basic user with no admin rights> invited <invited user> to your Atlassian site

<basic user with no admin rights> invited <invited user> to your Atlassian site
Hi Mark J Cunningham,
<basic user with no admin rights> (<basic user with no admin rights email address>) has invited <invited user> to work with your team. Here's some more information about them:
<invited user>
<email address>
New user at <site>
View profile
View your invite settings


According to setting this should not be possible: