Merge pull request #39008 from ShrihariMahabal/invalidate-accepted-user-invitation

fix: invalidate user invitation if already accepted
2026-04-29 19:32:28 +05:30 · 2026-04-29 19:32:28 +05:30 · f185f03660
commit f185f03660
parent a2b162c960 7e45db4cec
2 changed files with 4 additions and 5 deletions
--- a/frappe/core/api/user_invitation.py
+++ b/frappe/core/api/user_invitation.py
@ -129,7 +129,7 @@ def _accept_invitation(key: str, in_test: bool) -> None:
 	hashed_key = frappe.utils.sha256_hash(key)
 	invitation_name = frappe.db.get_value("User Invitation", filters={"key": hashed_key})
 	if not invitation_name:
-		frappe.throw(title=_("Error"), msg=_("Invalid key"))
+		frappe.throw(title=_("Error"), msg=_("Invalid or expired key"))
 	invitation = frappe.get_doc("User Invitation", invitation_name)
 	# accept invitation
--- a/frappe/core/doctype/user_invitation/user_invitation.py
+++ b/frappe/core/doctype/user_invitation/user_invitation.py
@ -39,9 +39,7 @@ class UserInvitation(Document):
 		self._after_insert()
 	def accept(self, ignore_permissions: bool = False):
-		accepted_now = self._accept()
+		self._accept()
 		if not accepted_now:
 			return
 		user, user_inserted = self._upsert_user(ignore_permissions)
 		self.save(ignore_permissions)
 		user.save(ignore_permissions)
@ -120,7 +118,7 @@ class UserInvitation(Document):
 	def _accept(self):
 		if self.status == "Accepted":
-			return False
+			frappe.throw(title=_("Error"), msg=_("Invitation already accepted"))
 		if self.status == "Expired":
 			frappe.throw(title=_("Error"), msg=_("Invitation is expired"))
 		if self.status == "Cancelled":
@ -128,6 +126,7 @@ class UserInvitation(Document):
 		self.status = "Accepted"
 		self.accepted_at = frappe.utils.now()
 		self.user = self.email
 		self.key = None
 		return True
 	def _upsert_user(self, ignore_permissions: bool = False):