From 855f8cbca610be740067f81281f1a73dbe056709 Mon Sep 17 00:00:00 2001 From: Morgan Roderick Date: Tue, 10 Mar 2026 19:25:23 +0100 Subject: [PATCH 1/2] fix: return 404 when invitation not found by token --- app/controllers/invitations_controller.rb | 1 + .../invitations_controller_spec.rb | 30 +++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 spec/controllers/invitations_controller_spec.rb diff --git a/app/controllers/invitations_controller.rb b/app/controllers/invitations_controller.rb index fb4964b26..2aedf1e8f 100644 --- a/app/controllers/invitations_controller.rb +++ b/app/controllers/invitations_controller.rb @@ -88,6 +88,7 @@ def cancel_meeting def set_invitation @invitation = Invitation.find_by(token: params[:token]) + head :not_found unless @invitation end def load_invitation diff --git a/spec/controllers/invitations_controller_spec.rb b/spec/controllers/invitations_controller_spec.rb new file mode 100644 index 000000000..830cce365 --- /dev/null +++ b/spec/controllers/invitations_controller_spec.rb @@ -0,0 +1,30 @@ +RSpec.describe InvitationsController do + let(:event) { Fabricate(:event) } + + describe 'GET #show' do + context 'with invalid token' do + it 'returns http not found' do + get :show, params: { event_id: event.id, token: 'invalid_token' } + expect(response).to have_http_status(:not_found) + end + end + end + + describe 'POST #attend' do + context 'with invalid token' do + it 'returns http not found' do + post :attend, params: { event_id: event.id, token: 'invalid_token' } + expect(response).to have_http_status(:not_found) + end + end + end + + describe 'POST #reject' do + context 'with invalid token' do + it 'returns http not found' do + post :reject, params: { event_id: event.id, token: 'invalid_token' } + expect(response).to have_http_status(:not_found) + end + end + end +end From 6c83d9287c9885d66847bbd06cd242328c25e121 Mon Sep 17 00:00:00 2001 From: Morgan Roderick Date: Tue, 10 Mar 2026 19:35:53 +0100 Subject: [PATCH 2/2] fix: raise RoutingError to return 404 page --- app/controllers/invitations_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/invitations_controller.rb b/app/controllers/invitations_controller.rb index 2aedf1e8f..89ec7788b 100644 --- a/app/controllers/invitations_controller.rb +++ b/app/controllers/invitations_controller.rb @@ -88,7 +88,7 @@ def cancel_meeting def set_invitation @invitation = Invitation.find_by(token: params[:token]) - head :not_found unless @invitation + raise ActionController::RoutingError, 'Invitation not found' unless @invitation end def load_invitation