Normal users can join groups bypassing approval process using REST API

[kazlauskis]

Non-admin users can only add themselves to public groups; requests to join by-request groups will result in the user being flagged as pending

Joining a request-only group currently automatically approves the membership. e.g:

POST https://warehouse1.indicia.org.uk/index.php/services/rest/groups/3059/users

{
  "values": {
    "id": 282375
  }
}

I can see the membership is approved on the https://irecord.org.uk/activities/pending?group_id=3059

If the user joins using the invite link https://irecord.org.uk/join/senamiestis, then the membership is correctly pending.

[kazlauskis]

Another important improvement would be to include the "pending" status in the REST responses, since currently there is no way to detect the user has a pending membership using REST.

GET https://warehouse1.indicia.org.uk/index.php/services/rest/groups

[
    {
        "values": {
            "id": "3059",
            "title": "Senamiestis",
            "description": "Test group",
            "joining_method": "R",
            "website_id": "23",
            "group_type_id": "4845",
            "from_date": null,
            "to_date": null,
            "created_on": "2025-01-29T08:01:04+00:00",
            "created_by_id": "71394",
            "indexed_location_ids": null,
            "group_type": "Local groups"
            "pending": true <- add something like this
        }
    }
]