From 7e45db4cec8a2818764919c006ccf03f23ce3815 Mon Sep 17 00:00:00 2001
From: Shrihari Mahabal <shriharimahabal08@gmail.com>
Date: Wed, 29 Apr 2026 19:20:47 +0530
Subject: [PATCH] fix: invalidate user invitation if already accepted

---
 frappe/core/api/user_invitation.py                     | 2 +-
 frappe/core/doctype/user_invitation/user_invitation.py | 7 +++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/frappe/core/api/user_invitation.py b/frappe/core/api/user_invitation.py
index 1e685e6c28..2744dc42cd 100644
--- a/frappe/core/api/user_invitation.py
+++ b/frappe/core/api/user_invitation.py
@@ -129,7 +129,7 @@ def _accept_invitation(key: str, in_test: bool) -> None:
 	hashed_key = frappe.utils.sha256_hash(key)
 	invitation_name = frappe.db.get_value("User Invitation", filters={"key": hashed_key})
 	if not invitation_name:
-		frappe.throw(title=_("Error"), msg=_("Invalid key"))
+		frappe.throw(title=_("Error"), msg=_("Invalid or expired key"))
 	invitation = frappe.get_doc("User Invitation", invitation_name)
 
 	# accept invitation
diff --git a/frappe/core/doctype/user_invitation/user_invitation.py b/frappe/core/doctype/user_invitation/user_invitation.py
index 582ee2dfbe..3bf06e9aef 100644
--- a/frappe/core/doctype/user_invitation/user_invitation.py
+++ b/frappe/core/doctype/user_invitation/user_invitation.py
@@ -39,9 +39,7 @@ class UserInvitation(Document):
 		self._after_insert()
 
 	def accept(self, ignore_permissions: bool = False):
-		accepted_now = self._accept()
-		if not accepted_now:
-			return
+		self._accept()
 		user, user_inserted = self._upsert_user(ignore_permissions)
 		self.save(ignore_permissions)
 		user.save(ignore_permissions)
@@ -120,7 +118,7 @@ class UserInvitation(Document):
 
 	def _accept(self):
 		if self.status == "Accepted":
-			return False
+			frappe.throw(title=_("Error"), msg=_("Invitation already accepted"))
 		if self.status == "Expired":
 			frappe.throw(title=_("Error"), msg=_("Invitation is expired"))
 		if self.status == "Cancelled":
@@ -128,6 +126,7 @@ class UserInvitation(Document):
 		self.status = "Accepted"
 		self.accepted_at = frappe.utils.now()
 		self.user = self.email
+		self.key = None
 		return True
 
 	def _upsert_user(self, ignore_permissions: bool = False):