Skip to content

fix: restrict invitation accept/decline actions to invited user only #5777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ashnaaseth2325-oss wants to merge 2 commits into
base: unstable
Choose a base branch
from
+31 −0
Open

fix: restrict invitation accept/decline actions to invited user only #5777

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a0aba37
fix: enforce invitee-only auth on invitation accept/decline endpoints
ashnaaseth2325-oss Mar 23, 2026
6dc6531
refactor: deduplicate invitee auth check into _ensure_invitee helper
ashnaaseth2325-oss Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions contentcuration/contentcuration/tests/viewsets/test_invitation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -446,3 +446,27 @@ def test_update_invitation_decline(self):
).exists()
)
self.assertTrue(models.Change.objects.filter(channel=self.channel).exists())

def test_accept_invitation_by_non_invitee_is_forbidden(self):
invitation = models.Invitation.objects.create(**self.invitation_db_metadata)

# self.user is a channel editor, not the invited user
self.client.force_authenticate(user=self.user)
response = self.client.post(
reverse("invitation-accept", kwargs={"pk": invitation.id})
)
self.assertEqual(response.status_code, 403, response.content)
invitation.refresh_from_db()
self.assertFalse(invitation.accepted)

def test_decline_invitation_by_non_invitee_is_forbidden(self):
invitation = models.Invitation.objects.create(**self.invitation_db_metadata)

# self.user is a channel editor, not the invited user
self.client.force_authenticate(user=self.user)
response = self.client.post(
reverse("invitation-decline", kwargs={"pk": invitation.id})
)
self.assertEqual(response.status_code, 403, response.content)
invitation.refresh_from_db()
self.assertFalse(invitation.declined)
7 changes: 7 additions & 0 deletions contentcuration/contentcuration/viewsets/invitation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
from django_filters.rest_framework import FilterSet
from rest_framework import serializers
from rest_framework.decorators import action
from rest_framework.exceptions import PermissionDenied
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response

Expand Down Expand Up @@ -137,9 +138,14 @@ def perform_update(self, serializer):
instance = serializer.save()
instance.save()

def _ensure_invitee(self, request, invitation):
if (request.user.email or "").lower() != (invitation.email or "").lower():
raise PermissionDenied("Only the invited user may perform this action.")

@action(detail=True, methods=["post"])
def accept(self, request, pk=None):
invitation = self.get_object()
self._ensure_invitee(request, invitation)
invitation.accept()
invitation.accepted = True
invitation.save()
Expand All @@ -158,6 +164,7 @@ def accept(self, request, pk=None):
@action(detail=True, methods=["post"])
def decline(self, request, pk=None):
invitation = self.get_object()
self._ensure_invitee(request, invitation)
invitation.declined = True
invitation.save()
Change.create_change(
Expand Down
Loading