Membership : sign up by invitation only

i just enabled membership on a test site and wanted to use the function to enable user account creation ( sign ups) via invitation only which i tested . only problem is that if anyone then decides to share the link or url of the sign up page which is by default (yourwebsite/sign-up ) it allows anyone else to freely create an account without an invitation because while the invitation has got a token you can just type sign-up at the end of the site url and it brings up the sign up page anyway !! is there anyways someone knows to prevent that ?

Good observation, I hadn’t noticed that.

I’d recommend posting it in the Membership BETA forum so the Webflow team sees it.

Will do thanks a lot :o)

That seems to be a another forum on circle . any ideas how to join the group?

Yeah, it was part of your Membership BETA invite. Check your email, it will give you the links you need.

Got it thanks for the help

Just thinking a bit more about this;
I think that the ability to sign up with a different email than the invitation was sent to is probably important.

Just because you have someone’s email doesn’t mean that’s the one they want to use for logins.
I have more than 10 email addresses.

The scenario I think you’re describing is-

  1. You invite Bob
  2. Bob forwards the invite email to Fred
  3. Fred enrolls
  4. You didn’t want Fred to enroll

If you’re really having problems with unauthorized people accepting the invite, a way around that is to two-step the enrollment process.

First invite them, but with only Public access-
Then, once they’ve accepted, you verify it’s the right person, and then upgrade their access to the content groups you want.

@xenostorm @webflow-user-account @webdev I noticed that when the email is forwarded to someone else, when clicking on that link, the email field is already prefilled and greyed out with the email address of the person who was invited. I imagine that stops someone else from creating an account. Am I missing something?

Btw, do we know how long the invitation link is good for? I sent it to someone and they responded after a couple of days that the link had expired.

That’s just a (very) nice connivence… having the email pre-populated and the form field disabled.

Here’s what’s happening behind the scenes…

When an invitation is created, Webflow generates a one-time, unique token that is associated with the email used for that invitation.

That email is associated with that specific token and no other.

Webflow then appends that unique token to the url on the invitation link sent:

When you click the link shown above, you go to the signup page with that token in the url.

Webflow grabs that url token and does a lookup within their internal database to do a few things:

Checks if that token has already been used for a signup, if so, display an error, otherwise…

Grab the email associated with it, and display it on the screen.

That’s why you see the invited email address displaying and greyed out versus whatever email address you forwarded the invitation too.

That url token is associated to only 1 email address, and it should only work 1 time.

Yea, I consider this a bug when you look at the user flow I’ve outlined above.

But… I think they are currently considering it a limitation.

If you choose this option (“after manually adding users to this group”) for a role:

…that should never happen and you should only ever gain access when you (as the site admin) log into your Webflow account and manually add them.

The current state as I understand it is that there are 2 unique user flows for this:

  1. Ecommerce (paid or free accounts)
  2. Non-Ecommerce (free accounts only)

For the latter, there currently is no choice (and I consider it a bug).

For the former, using Ecommerce, I believe this is now fixed. You can set it up for free users (without requiring a credit card upfront) and control this AFAIK.

To hear more of our voices we need to either reach out directly to support or chime in on the Memberships Beta forum.

Feel free to use my breakdown as a reference to explain the situation.

So far I’ve seen them take feedback like this and change it with enough of our voices heard.