learningequality · ashnaaseth2325-oss · Mar 23, 2026 · Mar 25, 2026
diff --git a/contentcuration/contentcuration/tests/viewsets/test_invitation.py b/contentcuration/contentcuration/tests/viewsets/test_invitation.py
@@ -446,3 +446,27 @@ def test_update_invitation_decline(self):
             ).exists()
         )
         self.assertTrue(models.Change.objects.filter(channel=self.channel).exists())
+
+    def test_accept_invitation_by_non_invitee_is_forbidden(self):
+        invitation = models.Invitation.objects.create(**self.invitation_db_metadata)
+
+        # self.user is a channel editor, not the invited user
+        self.client.force_authenticate(user=self.user)
+        response = self.client.post(
+            reverse("invitation-accept", kwargs={"pk": invitation.id})
+        )
+        self.assertEqual(response.status_code, 403, response.content)
+        invitation.refresh_from_db()
+        self.assertFalse(invitation.accepted)
+
+    def test_decline_invitation_by_non_invitee_is_forbidden(self):
+        invitation = models.Invitation.objects.create(**self.invitation_db_metadata)
+
+        # self.user is a channel editor, not the invited user
+        self.client.force_authenticate(user=self.user)
+        response = self.client.post(
+            reverse("invitation-decline", kwargs={"pk": invitation.id})
+        )
+        self.assertEqual(response.status_code, 403, response.content)
+        invitation.refresh_from_db()
+        self.assertFalse(invitation.declined)
diff --git a/contentcuration/contentcuration/viewsets/invitation.py b/contentcuration/contentcuration/viewsets/invitation.py
@@ -1,6 +1,7 @@
 from django_filters.rest_framework import CharFilter
 from django_filters.rest_framework import FilterSet
 from rest_framework import serializers
+from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
@@ -140,6 +141,11 @@ def perform_update(self, serializer):
     @action(detail=True, methods=["post"])
     def accept(self, request, pk=None):
         invitation = self.get_object()
+        if request.user.email.lower() != (invitation.email or "").lower():
+            return Response(
+                {"detail": "Only the invited user may accept this invitation."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         invitation.accept()
         invitation.accepted = True
         invitation.save()
@@ -158,6 +164,11 @@ def accept(self, request, pk=None):
     @action(detail=True, methods=["post"])
     def decline(self, request, pk=None):
         invitation = self.get_object()
+        if request.user.email.lower() != (invitation.email or "").lower():
+            return Response(
+                {"detail": "Only the invited user may decline this invitation."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
         invitation.declined = True
         invitation.save()
         Change.create_change(