The view that creates the HTML for the accept invitation is groups/views/default/groups/invitationrequests.php
You should check that the token and timestamp are included in the link by checking the page source.
In Elgg all actions go through the action handler in /engine/handlers/action_handler.php
From there to the function action() in /engine/lib/actions.php - that's where the token is checked. If it passes, it goes to the action file in groups/actions/join.php
I have never been able to reproduce any token problems. Every once in a while someone reports one but does not have the skills to debug what is happening. I'm assuming it's something in the server configuration or a bad plugin.
</a></div>GROUP NAME<br /><a class="delete_report_button" href="http://SITE/action/groups/killinvitation?user_guid=#&group_guid=##&__elgg_ts=####&__elgg_token=####" onclick="return confirm('Are you sure you want to remove this join request?');">Delete</a> <a href="http://SITE/action/groups/join?user_guid=##&group_guid=##&__elgg_ts=####&__elgg_token=####" class="archive_report_button">Accept</a>
That is the line that is failing from the page source (http://SITE/pg/groups/invitations/user), generalized to shorten it, what should I check in the other files?
What version of Elgg are you using?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.