🐛(backend) manage invitation partial update without email

An invitation can be updated to change its role. The front use a PATCH sending only the changed role, so the email is missing in the InivtationSerializer.validate method. We have to check first if an email is present before working on it.
2025-10-16 17:26:02 +02:00
parent 5908afb098
commit c048b2ae95
4 changed files with 45 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,8 @@ and this project adheres to
 ### Fixed

 - ⚡️(backend) improve trashbin endpoint performance
+- 🐛(backend) manage invitation partial update without email #1494
+

 ## [3.8.0] - 2025-10-14

--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -749,7 +749,8 @@ class InvitationSerializer(serializers.ModelSerializer):
        if self.instance is None:
            attrs["issuer"] = user

-        attrs["email"] = attrs["email"].lower()
+        if attrs.get("email"):
+            attrs["email"] = attrs["email"].lower()

        return attrs

--- a/src/backend/core/tests/documents/test_api_document_invitations.py
+++ b/src/backend/core/tests/documents/test_api_document_invitations.py
@@ -769,6 +769,37 @@ def test_api_document_invitations_update_authenticated_unprivileged(
        assert value == old_invitation_values[key]


+@pytest.mark.parametrize("via", VIA)
+@pytest.mark.parametrize("role", ["administrator", "owner"])
+def test_api_document_invitations_patch(via, role, mock_user_teams):
+    """Partially updating an invitation should be allowed."""
+
+    user = factories.UserFactory()
+    invitation = factories.InvitationFactory(role="editor")
+
+    if via == USER:
+        factories.UserDocumentAccessFactory(
+            document=invitation.document, user=user, role=role
+        )
+    elif via == TEAM:
+        mock_user_teams.return_value = ["lasuite", "unknown"]
+        factories.TeamDocumentAccessFactory(
+            document=invitation.document, team="lasuite", role=role
+        )
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.patch(
+        f"/api/v1.0/documents/{invitation.document.id!s}/invitations/{invitation.id!s}/",
+        {"role": "reader"},
+        format="json",
+    )
+    assert response.status_code == 200
+    invitation.refresh_from_db()
+    assert invitation.role == "reader"
+
+
 # Delete


--- a/src/frontend/apps/e2e/tests/app-impress/doc-member-create.spec.ts
+++ b/src/frontend/apps/e2e/tests/app-impress/doc-member-create.spec.ts
@@ -202,9 +202,19 @@ test.describe('Document create member', () => {
    );
    await expect(userInvitation).toBeVisible();

+    const responsePromisePatchInvitation = page.waitForResponse(
+      (response) =>
+        response.url().includes('/invitations/') &&
+        response.status() === 200 &&
+        response.request().method() === 'PATCH',
+    );
+
    await userInvitation.getByLabel('doc-role-dropdown').click();
    await page.getByRole('menuitem', { name: 'Reader' }).click();

+    const responsePatchInvitation = await responsePromisePatchInvitation;
+    expect(responsePatchInvitation.ok()).toBeTruthy();
+
    const moreActions = userInvitation.getByRole('button', {
      name: 'Open invitation actions menu',
    });