Elgg currently uses a rather simple algorithm for calculating the invitation code used to identify a new user. It uses the first 8 characters of an MD5 hash of the name of a new user and the current time. This same algorithm is used when calculating a code for a password reset.
In a heavily used system, it is very possible with the current algorithm to have two emails sent out with the same code (had that happen to me twice in the past two days!). If error reporting is disabled (hide errors), this effectively has the result that a user clicking on the link is presented with the password reset or invitation of another user!
I have chosen a very straightforward approach to fix this. Before the new code is inserted in the invitation table, the table is checked to make sure the code is unique. If it is not, we sleep() for 1 second and generate a new code. This continues until a unique code is found. This is still not 100% proof (we would need table write locking for that), but it's a lot better.
