Fix token for invite link, updated accpet/reject invite functionality

Author: sandeepsajan0

hypha/apply/activity/adapters/emails.py

@@ -169,16 +169,25 @@ def handle_transition(self, old_phase, source, **kwargs):
             )
 
     def handle_co_applicant_invite(self, source, related, **kwargs):
+        from hypha.apply.funds.utils import generate_signed_token
+
         invited_user = User.objects.filter(email=related.invited_user_email).first()
         can_accept = True
         if invited_user and (
             invited_user.is_apply_staff or invited_user.is_apply_staff_admin
         ):
             can_accept = False
 
+        token = generate_signed_token(
+            data={
+                "email": related.invited_user_email,
+                "submission": related.submission.pk,
+            },
+            salt="co-applicant-invite-token",
+        )
         accept_link = reverse(
             "apply:submissions:accept_coapplicant_invite",
-            kwargs={"pk": source.id, "token": related.token},
+            kwargs={"pk": source.id, "token": token},
         )
         return self.render_message(
             "messages/email/invite_co_applicant.html",

hypha/apply/activity/migrations/0087_alter_event_type.py

@@ -0,0 +1,83 @@
+# Generated by Django 4.2.20 on 2025-04-30 05:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("activity", "0086_remove_django_messages_adapter"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="event",
+            name="type",
+            field=models.CharField(
+                choices=[
+                    ("UPDATE_LEAD", "updated lead"),
+                    ("BATCH_UPDATE_LEAD", "batch updated lead"),
+                    ("EDIT_SUBMISSION", "edited submission"),
+                    ("APPLICANT_EDIT", "edited applicant"),
+                    ("NEW_SUBMISSION", "submitted new submission"),
+                    ("DRAFT_SUBMISSION", "submitted new draft submission"),
+                    ("SCREENING", "screened"),
+                    ("TRANSITION", "transitioned"),
+                    ("BATCH_TRANSITION", "batch transitioned"),
+                    ("DETERMINATION_OUTCOME", "sent determination outcome"),
+                    ("BATCH_DETERMINATION_OUTCOME", "sent batch determination outcome"),
+                    ("INVITED_TO_PROPOSAL", "invited to proposal"),
+                    ("REVIEWERS_UPDATED", "updated reviewers"),
+                    ("BATCH_REVIEWERS_UPDATED", "batch updated reviewers"),
+                    ("PARTNERS_UPDATED", "updated partners"),
+                    ("PARTNERS_UPDATED_PARTNER", "partners updated partner"),
+                    ("READY_FOR_REVIEW", "marked ready for review"),
+                    ("BATCH_READY_FOR_REVIEW", "marked batch ready for review"),
+                    ("NEW_REVIEW", "added new review"),
+                    ("COMMENT", "added comment"),
+                    ("PROPOSAL_SUBMITTED", "submitted proposal"),
+                    ("OPENED_SEALED", "opened sealed submission"),
+                    ("REVIEW_OPINION", "reviewed opinion"),
+                    ("DELETE_SUBMISSION", "deleted submission"),
+                    ("DELETE_REVIEW", "deleted review"),
+                    ("DELETE_REVIEW_OPINION", "deleted review opinion"),
+                    ("CREATED_PROJECT", "created project"),
+                    ("UPDATE_PROJECT_LEAD", "updated project lead"),
+                    ("UPDATE_PROJECT_TITLE", "updated project title"),
+                    ("EDIT_REVIEW", "edited review"),
+                    ("SEND_FOR_APPROVAL", "sent for approval"),
+                    ("APPROVE_PROJECT", "approved project"),
+                    ("ASSIGN_PAF_APPROVER", "assign project form approver"),
+                    ("APPROVE_PAF", "approved project form"),
+                    ("PROJECT_TRANSITION", "transitioned project"),
+                    ("REQUEST_PROJECT_CHANGE", "requested project change"),
+                    ("SUBMIT_CONTRACT_DOCUMENTS", "submitted contract documents"),
+                    ("UPLOAD_DOCUMENT", "uploaded document to project"),
+                    ("UPLOAD_CONTRACT", "uploaded contract to project"),
+                    ("APPROVE_CONTRACT", "approved contract"),
+                    ("CREATE_INVOICE", "created invoice for project"),
+                    ("UPDATE_INVOICE_STATUS", "updated invoice status"),
+                    ("APPROVE_INVOICE", "approve invoice"),
+                    ("DELETE_INVOICE", "deleted invoice"),
+                    ("SENT_TO_COMPLIANCE", "sent project to compliance"),
+                    ("UPDATE_INVOICE", "updated invoice"),
+                    ("SUBMIT_REPORT", "submitted report"),
+                    ("SKIPPED_REPORT", "skipped report"),
+                    ("REPORT_FREQUENCY_CHANGED", "changed report frequency"),
+                    ("DISABLED_REPORTING", "disabled reporting"),
+                    ("REPORT_NOTIFY", "notified report"),
+                    ("REVIEW_REMINDER", "reminder to review"),
+                    ("BATCH_DELETE_SUBMISSION", "batch deleted submissions"),
+                    ("BATCH_ARCHIVE_SUBMISSION", "batch archive submissions"),
+                    ("BATCH_INVOICE_STATUS_UPDATE", "batch update invoice status"),
+                    ("STAFF_ACCOUNT_CREATED", "created new account"),
+                    ("STAFF_ACCOUNT_EDITED", "edited account"),
+                    ("ARCHIVE_SUBMISSION", "archived submission"),
+                    ("UNARCHIVE_SUBMISSION", "unarchived submission"),
+                    ("REMOVE_TASK", "remove task"),
+                    ("INVITE_COAPPLICANT", "invite co-applicant"),
+                ],
+                max_length=50,
+                verbose_name="verb",
+            ),
+        ),
+    ]

hypha/apply/activity/templates/messages/email/invite_co_applicant.html

@@ -7,5 +7,5 @@
 {% trans "But You can't accept this invite because you already hold a responsible position in" %} {{ ORG_SHORT_NAME }}
 {% endif %}
 {% blocktrans %} Click on link if you want to accept it, otherwise leave it.{% endblocktrans %}
-{% trans "Link" %}: {{ accept_link }}
+{% trans "Link" %}: {{ request.scheme }}://{{ request.get_host }}{{ accept_link }}
 {% endblock %}{# fmt:on #}

hypha/apply/funds/forms.py

@@ -1,4 +1,3 @@
-import uuid
 from collections import OrderedDict
 from functools import partial
 from itertools import groupby
@@ -478,9 +477,3 @@ def __init__(self, *args, submission, user=None, **kwargs):
     class Meta:
         model = CoApplicantInvite
         fields = ["invited_user_email", "submission"]
-
-    def save(self, *args, **kwargs):
-        self.instance.submission = self.cleaned_data["submission"]
-        self.instance.token = str(uuid.uuid4())
-        self.instance.invited_user_email = self.cleaned_data["invited_user_email"]
-        return super().save(*args, **kwargs)

hypha/apply/funds/migrations/0125_remove_coapplicant_accepted_on_and_more.py

@@ -0,0 +1,52 @@
+# Generated by Django 4.2.20 on 2025-04-30 05:36
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("funds", "0124_coapplicantinvite_coapplicant"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="coapplicant",
+            name="accepted_on",
+        ),
+        migrations.RemoveField(
+            model_name="coapplicant",
+            name="status",
+        ),
+        migrations.RemoveField(
+            model_name="coapplicantinvite",
+            name="is_used",
+        ),
+        migrations.RemoveField(
+            model_name="coapplicantinvite",
+            name="token",
+        ),
+        migrations.AddField(
+            model_name="coapplicant",
+            name="created_at",
+            field=models.DateTimeField(auto_now_add=True, null=True),
+        ),
+        migrations.AddField(
+            model_name="coapplicantinvite",
+            name="responded_on",
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name="coapplicantinvite",
+            name="status",
+            field=models.CharField(
+                choices=[
+                    ("pending", "Pending"),
+                    ("accepted", "Accepted"),
+                    ("rejected", "Rejected"),
+                    ("expired", "Expired"),
+                ],
+                default="pending",
+                max_length=20,
+            ),
+        ),
+    ]

hypha/apply/funds/models/co_applicants.py

@@ -12,6 +12,7 @@
 
 
 class CoApplicantInviteStatus(models.TextChoices):
+    PENDING = "pending", "Pending"
     ACCEPTED = "accepted", "Accepted"
     REJECTED = "rejected", "Rejected"
     EXPIRED = "expired", "Expired"
@@ -24,15 +25,19 @@ class CoApplicantInvite(models.Model):
         related_name="co_applicant_invites",
     )
     invited_user_email = models.EmailField()
-    token = models.CharField(max_length=256, unique=True)
-    is_used = models.BooleanField(default=False)
     invited_by = models.ForeignKey(
         User,
         on_delete=models.SET_NULL,
         null=True,
         blank=True,
         related_name="co_applicant_invites",
     )
+    status = models.CharField(
+        max_length=20,
+        choices=CoApplicantInviteStatus.choices,
+        default=CoApplicantInviteStatus.PENDING,
+    )
+    responded_on = models.DateTimeField(blank=True, null=True)
     created_at = models.DateTimeField(auto_now_add=True)
 
     class Meta:
@@ -55,12 +60,7 @@ class CoApplicant(models.Model):
         CoApplicantInvite, on_delete=models.CASCADE, related_name="co_applicant"
     )
     role = models.JSONField(default=list)
-    status = models.CharField(
-        max_length=20,
-        choices=CoApplicantInviteStatus.choices,
-        default=CoApplicantInviteStatus.ACCEPTED,
-    )
-    accepted_on = models.DateTimeField(null=True, blank=True)
+    created_at = models.DateTimeField(auto_now_add=True, null=True)
 
     class Meta:
         unique_together = ("submission", "user")

hypha/apply/funds/templates/funds/coapplicant_invite_landing_page.html

@@ -0,0 +1,31 @@
+{% extends 'base-apply.html' %}
+
+{% block user_menu %}
+{% endblock user_menu %}
+
+{% block content %}
+    <div class="bg-gray-100 max-w-[70%] mx-auto mt-6 px-10 pt-6 pb-4 border border-gray-300 rounded-sm">
+        You are invited as a co-applicant to submission "{{ submission.title }}", Please respond to the invitation by accept or reject the invite.
+        <br>
+        You will be auto signup/login to system and redirected to the submission on accept the invite. We strongly recommend you to update password after accept the invite. You may also update the email.
+        <div class="flex justify-end mt-10">
+            <a
+                class="button button--submit button--white"
+                hx-post="."
+                hx-vals='{"action": "reject"}'
+                hx-trigger="click"
+                hx-swap="none"
+            >Reject</a>
+            <a
+                class="button button--submit button--primary"
+                type="button"
+                href="{% url 'apply:submissions:invite_co_applicant' pk=submission.id %}"
+                hx-post="."
+                hx-vals='{"action": "accept"}'
+                hx-trigger="click"
+                hx-swap="none"
+            >Accept </a>
+        </div>
+    </div>
+
+{% endblock %}

hypha/apply/funds/templates/funds/includes/generic_primary_actions.html

@@ -1,4 +1,4 @@
-{% load i18n primaryactions_tags %}
+{% load i18n primaryactions_tags heroicons %}
 
 {% if request.user|should_display_primary_actions_block:object %}
     <div class="sidebar__inner sidebar__inner--light-blue sidebar__inner--actions" data-testid="sidebar-primary-actions">
@@ -27,13 +27,23 @@ <h5>{% trans "Actions to take" %}</h5>
     <div class="sidebar__inner sidebar__inner--light-blue sidebar__inner--actions" data-testid="sidebar-primary-actions">
         <h5>{% trans "Manage Co-applicants" %}</h5>
         {% for invite in object.co_applicant_invites.all %}
-            <p> {{ invite.invited_user_email }}</p>
+            <p>
+                <span title="{{ invite.get_status_display }}">
+                    {% if invite.status == "pending" %}
+                        {% heroicon_solid "exclamation-triangle" size=20 class="inline align-text-bottom me-1 fill-yellow-400" aria_hidden=true %}
+                    {% elif invite.status == "accepted" %}
+                        {% heroicon_solid "check-circle" size=20 class="inline align-text-bottom me-1 fill-green-400" aria_hidden=true %}
+                    {% elif invite.status == "rejected" %}
+                        {% heroicon_solid "x-circle" size=20 class="inline align-text-bottom me-1 fill-red-400" aria_hidden=true %}
+                    {% endif %}
+                </span>
+                {{ invite.invited_user_email }}</p>
         {% endfor %}
         <button
             class="button button--primary button--full-width button--bottom-space"
             hx-get="{% url 'apply:submissions:invite_co_applicant' pk=object.id %}"
             hx-target="#htmx-modal"
-            {% if object.co_applicant_invites.count >= 5 %}disabled{% endif %}
+            {% if object.co_applicant_invites.count >= 10 %}disabled{% endif %}
             role="button"
             aria-label="{% trans "Invite CoApplicant" %}"
         >{% trans "Invite Co-applicant" %}</button>

hypha/apply/funds/utils.py

@@ -7,6 +7,7 @@
 from operator import iconcat
 
 import django_filters as filters
+from django.core import signing
 from django.utils.html import strip_tags
 from django.utils.translation import gettext as _
 
@@ -223,3 +224,18 @@ def check_submissions_same_determination_form(submissions):
     if any(d_id != determination_form_ids[0] for d_id in determination_form_ids):
         same_form = False
     return same_form
+
+
+def generate_signed_token(data, salt):
+    token = signing.dumps(data, salt=salt)
+    return token
+
+
+def verify_signed_token(token, salt, max_age=86400):  # default max_age 1 day in sec
+    try:
+        data = signing.loads(token, salt=salt, max_age=max_age)
+        return data
+    except signing.BadSignature:
+        return None  # invalid token
+    except signing.SignatureExpired:
+        return None  # expired token