@peterhashair Looking good overall 👍

I noticed a couple of issues:

The Resend Invite action shows for all users even if they haven't been invited, this could be confusing and an error is shown when attempting to reinvite existing users. It would be good to hide Resend Invite if the user hasn't been invited.

After creating an invite for a new user, following the accept link and entering a new password an error is shown:

This happens when already logged in as one user who creates the invite, then the accept link is opened in the same browser. Probably not a common scenario but it could happen, especially when testing.

The resend invite action is only showing when an invite has been sent 👍

The defaultReportDate was due to an out of date plugin I had installed - no issue once the plugin was deactivated 👍

Here would have really a lot changes been required before I would have considered this PR as mergeable.

The most important ones are:

• Using a token_auth as invite token is kind of a security problem, as it allows using the API without even accepting the invite
• The tests are not covering the whole process. It's nice that all screens are covered by a UI test, but it would also be important to really click the accept or decline button and see what happens afterwards. Not having tests for that has the risk, that this might regress in the future and we won't see that.
• The user experience of this new feature is quite bad, as in a lot places the success notifications are missing and the users doesn't see if his action actually worked or not.
• Some Most of the requirements of the original issue aren't fulfilled. To mention some important ones of the list here: Invite new users in Matomo, rather than creating them directly #13321 (comment)
  • Activity log should recognise "invite user" and "invite user accepted".
    --> see comments about missing / changed events
  • A user can also decline the invite in which case the person that created the invite is being notified by email and we remove the user entry to have no personal data in there. (we might need to store in the user table who invited the user, if that user login no longer exists then we don't notify anyone)
    --> currently the user remains in the database
  • When a user clicks on accept invite, they enter their password. If privacy policy or terms is configured, then we show these links. We say eg if privacy policy is configured: By signing up, I accept the Privacy Policy. If terms is configured we say it similarly for terms. If both are configured then we mention both.
    --> currently there is always Terms & Conditions displayed.
  • In addition the UI currently doesn't allow to see when a invite expire, nor is it possible to show all invited users (e.g. by a filter).
  • Invited users can be seen by super users, and the person that invited that user.
    --> currently everyone who has permission can see the user, as invites are created as a normal users.