
❌ This issue is not open for contribution. Visit Contributing guidelines to learn about the contributing process and how to find suitable issues.

Description
Currently, invitation accept and decline endpoints do not explicitly enforce that only the invited user can perform these actions. This could allow unrelated authenticated users (e.g., channel editors) to accept or decline invitations not intended for them.
Steps to reproduce
- Create an invitation for user A (email: userA@example.com)
- Authenticate as a different user (user B)
- Send POST request to:
- /invitation//accept/
- or /invitation//decline/
Expected behavior
Only the invited user (matching the invitation email) should be able to accept or decline the invitation.
Actual behavior
Unrelated authenticated users may be able to perform these actions (depending on current permission checks).
Proposed solution
Add an authorization check to ensure that the request user’s email matches the invitation email before allowing accept or decline actions.
Additional context
This may already be partially handled by existing permission logic, but explicit validation and test coverage for this case would improve clarity and security.
❌ This issue is not open for contribution. Visit Contributing guidelines to learn about the contributing process and how to find suitable issues.
Description
Currently, invitation accept and decline endpoints do not explicitly enforce that only the invited user can perform these actions. This could allow unrelated authenticated users (e.g., channel editors) to accept or decline invitations not intended for them.
Steps to reproduce
Expected behavior
Only the invited user (matching the invitation email) should be able to accept or decline the invitation.
Actual behavior
Unrelated authenticated users may be able to perform these actions (depending on current permission checks).
Proposed solution
Add an authorization check to ensure that the request user’s email matches the invitation email before allowing accept or decline actions.
Additional context
This may already be partially handled by existing permission logic, but explicit validation and test coverage for this case would improve clarity and security.