Skip to content

Restrict invitation accept/decline actions to invited user only #5781

Description

@ashnaaseth2325-oss

This issue is not open for contribution. Visit Contributing guidelines to learn about the contributing process and how to find suitable issues.

Description

Currently, invitation accept and decline endpoints do not explicitly enforce that only the invited user can perform these actions. This could allow unrelated authenticated users (e.g., channel editors) to accept or decline invitations not intended for them.

Steps to reproduce

  1. Create an invitation for user A (email: userA@example.com)
  2. Authenticate as a different user (user B)
  3. Send POST request to:
    • /invitation//accept/
    • or /invitation//decline/

Expected behavior

Only the invited user (matching the invitation email) should be able to accept or decline the invitation.

Actual behavior

Unrelated authenticated users may be able to perform these actions (depending on current permission checks).

Proposed solution

Add an authorization check to ensure that the request user’s email matches the invitation email before allowing accept or decline actions.

Additional context

This may already be partially handled by existing permission logic, but explicit validation and test coverage for this case would improve clarity and security.

Metadata

Metadata

Type

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions