At the moment, when adding someone to an organization in a Forgejo instance:
- if they are added by username, they get added directly to the organization
- if they are added by email (which is a bit of a hidden feature), they get an invitation by email that they can accept or decline (whether or not they already have an account on the Forgejo instance)
I'm wondering if there would be consensus to switch to sending invitations in all cases. I'm not sure where to gather such a consensus, so I thought I would ask here. It would be a significant change, and I am not sure how to get an agreement on something like this.
I've made a small poll on Mastodon and there seemed to be a preference for sending expiring invitations.
The main issue with adding someone directly to an organization is that they did not consent to being added to the organization. If their membership is visible from the outside (which the owner of the organization can enforce), then they can be seen as part of a project that they do not support (potentially endorsing a nefarious project against their will). This also allows the org owner to view whether they have enabled 2FA, which can be seen as a privacy concern.
If this overall goal is shared among project members, then I would work towards it with incremental PRs.
At the moment, when adding someone to an organization in a Forgejo instance:
* if they are added by username, they get added directly to the organization
* if they are added by email (which is a bit of a hidden feature), they get an invitation by email that they can accept or decline (whether or not they already have an account on the Forgejo instance)
I'm wondering if there would be consensus to switch to sending invitations in all cases. I'm not sure where to gather such a consensus, so I thought I would ask here. It would be a significant change, and I am not sure how to get an agreement on something like this.
I've made [a small poll on Mastodon](https://mamot.fr/deck/@pintoch/115859913262035226) and there seemed to be a preference for sending expiring invitations.
The main issue with adding someone directly to an organization is that they did not consent to being added to the organization. If their membership is visible from the outside (which the owner of the organization can enforce), then they can be seen as part of a project that they do not support (potentially endorsing a nefarious project against their will). This also allows the org owner to view whether they have enabled 2FA, which can be seen as a privacy concern.
If this overall goal is shared among project members, then I would work towards it with incremental PRs.