From 3b08ba4de1c32903b1a48cb807f500d4e8bc8884 Mon Sep 17 00:00:00 2001
From: Manuel Raynaud <manu@raynaud.io>
Date: Tue, 7 Oct 2025 12:08:07 +0200
Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F(backend)=20force=20saving=20?=
 =?UTF-8?q?invitation=20email=20in=20lowercase?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We want to enforce that invitation email are saved in lower case.
---
 src/backend/core/api/serializers.py           |  2 ++
 .../test_api_document_invitations.py          | 26 +++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/src/backend/core/api/serializers.py b/src/backend/core/api/serializers.py
index a4e5d9d8..fe94cd5f 100644
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -740,6 +740,8 @@ class InvitationSerializer(serializers.ModelSerializer):
         if self.instance is None:
             attrs["issuer"] = user
 
+        attrs["email"] = attrs["email"].lower()
+
         return attrs
 
     def validate_role(self, role):
diff --git a/src/backend/core/tests/documents/test_api_document_invitations.py b/src/backend/core/tests/documents/test_api_document_invitations.py
index 33d99d8a..94c5f881 100644
--- a/src/backend/core/tests/documents/test_api_document_invitations.py
+++ b/src/backend/core/tests/documents/test_api_document_invitations.py
@@ -596,6 +596,32 @@ def test_api_document_invitations_create_cannot_invite_existing_users():
     }
 
 
+def test_api_document_invitations_create_lower_email():
+    """
+    No matter the case, the email should be converted to lowercase.
+    """
+    user = factories.UserFactory()
+    document = factories.DocumentFactory(users=[(user, "owner")])
+
+    # Build an invitation to the email of an existing identity in the db
+    invitation_values = {
+        "email": "GuEst@example.com",
+        "role": random.choice(models.RoleChoices.values),
+    }
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
+        f"/api/v1.0/documents/{document.id!s}/invitations/",
+        invitation_values,
+        format="json",
+    )
+
+    assert response.status_code == 201
+    assert response.json()["email"] == "guest@example.com"
+
+
 # Update