#12374 Fix issue preventing users from accepting invitations while logged out

taslangraham · taslangraham · commit c98c494eeac5 · 2026-03-10T10:36:06.000-05:00
diff --git a/api/v1/_i18n/I18nController.php b/api/v1/_i18n/I18nController.php
@@ -21,6 +21,7 @@
 use Illuminate\Http\Response;
 use Illuminate\Support\Facades\Route;
 use PKP\core\PKPBaseController;
+use PKP\core\PKPRequest;
 use PKP\facades\Locale;
 
 class I18nController extends PKPBaseController
@@ -49,6 +50,16 @@ public function getGroupRoutes(): void
         Route::get('ui.js', $this->getTranslations(...))->name('_i18n.getTranslations');
     }
 
+
+    /**
+     * @copydoc \PKP\core\PKPBaseController::authorize()
+     */
+    public function authorize(PKPRequest $request, array &$args, array $roleAssignments): bool
+    {
+        // No authorization required for publicly accessible endpoint
+        return true;
+    }
+
     /**
      * Provides javascript file which includes all translations used in Vue.js UI.
      */
diff --git a/api/v1/invitations/InvitationController.php b/api/v1/invitations/InvitationController.php
@@ -41,6 +41,13 @@ class InvitationController extends PKPBaseController
     public const PARAM_ID = 'invitationId';
     public const PARAM_KEY = 'key';
 
+    public array $publicActions = [
+        'receive',
+        'finalize',
+        'refine',
+        'decline',
+    ];
+
     public $actionsInvite = [
         'get',
         'populate',
@@ -184,6 +191,10 @@ public function authorize(PKPRequest $request, array &$args, array $roleAssignme
         $invitationId = (int) $this->getParameter(self::PARAM_ID);
         $invitationKey = $this->getParameter(self::PARAM_KEY);
 
+        if(in_array($actionName, $this->publicActions)){
+            $this->setEnforceRestrictedSite(false);
+        }
+
         if (in_array($actionName, $this->requiresType)) {
             if (!isset($invitationType)) {
                 throw new Exception("Parameter with the name '" . self::PARAM_TYPE . "' needs to be declared");
diff --git a/classes/security/authorization/RestrictedSiteAccessPolicy.php b/classes/security/authorization/RestrictedSiteAccessPolicy.php
@@ -76,7 +76,7 @@ public function effect(): int
      */
     private function _getLoginExemptions(): array
     {
-        $exemptions = ['user', 'login', 'help', 'header', 'sidebar', 'payment'];
+        $exemptions = ['user', 'login', 'help', 'header', 'sidebar', 'payment', 'invitation'];
         Hook::call('RestrictedSiteAccessPolicy::_getLoginExemptions', [[&$exemptions]]);
         return $exemptions;
     }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ public function effect(): int`
`76`	`76`	`*/`
`77`	`77`	`private function _getLoginExemptions(): array`
`78`	`78`	`{`
`79`		`- $exemptions = ['user', 'login', 'help', 'header', 'sidebar', 'payment'];`
	`79`	`+ $exemptions = ['user', 'login', 'help', 'header', 'sidebar', 'payment', 'invitation'];`
`80`	`80`	`Hook::call('RestrictedSiteAccessPolicy::_getLoginExemptions', [[&$exemptions]]);`
`81`	`81`	`return $exemptions;`
`82`	`82`	`}`