🐛(backend) manage invitation partial update without email

An invitation can be updated to change its role. The front use a PATCH
sending only the changed role, so the email is missing in the
InivtationSerializer.validate method. We have to check first if an email
is present before working on it.

Author: lunika

CHANGELOG.md

@@ -15,6 +15,8 @@ and this project adheres to
 ### Fixed
 
 - ⚡️(backend) improve trashbin endpoint performance
+- 🐛(backend) manage invitation partial update without email #1494
+
 
 ## [3.8.0] - 2025-10-14
 

src/backend/core/api/serializers.py

@@ -749,7 +749,8 @@ def validate(self, attrs):
         if self.instance is None:
             attrs["issuer"] = user
 
-        attrs["email"] = attrs["email"].lower()
+        if attrs.get("email"):
+            attrs["email"] = attrs["email"].lower()
 
         return attrs
 

src/backend/core/tests/documents/test_api_document_invitations.py

@@ -769,6 +769,37 @@ def test_api_document_invitations_update_authenticated_unprivileged(
         assert value == old_invitation_values[key]
 
 
+@pytest.mark.parametrize("via", VIA)
+@pytest.mark.parametrize("role", ["administrator", "owner"])
+def test_api_document_invitations_patch(via, role, mock_user_teams):
+    """Partially updating an invitation should be allowed."""
+
+    user = factories.UserFactory()
+    invitation = factories.InvitationFactory(role="editor")
+
+    if via == USER:
+        factories.UserDocumentAccessFactory(
+            document=invitation.document, user=user, role=role
+        )
+    elif via == TEAM:
+        mock_user_teams.return_value = ["lasuite", "unknown"]
+        factories.TeamDocumentAccessFactory(
+            document=invitation.document, team="lasuite", role=role
+        )
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.patch(
+        f"/api/v1.0/documents/{invitation.document.id!s}/invitations/{invitation.id!s}/",
+        {"role": "reader"},
+        format="json",
+    )
+    assert response.status_code == 200
+    invitation.refresh_from_db()
+    assert invitation.role == "reader"
+
+
 # Delete
 
 

src/frontend/apps/e2e/__tests__/app-impress/doc-member-create.spec.ts

@@ -202,9 +202,19 @@ test.describe('Document create member', () => {
     );
     await expect(userInvitation).toBeVisible();
 
+    const responsePromisePatchInvitation = page.waitForResponse(
+      (response) =>
+        response.url().includes('/invitations/') &&
+        response.status() === 200 &&
+        response.request().method() === 'PATCH',
+    );
+
     await userInvitation.getByLabel('doc-role-dropdown').click();
     await page.getByRole('menuitem', { name: 'Reader' }).click();
 
+    const responsePatchInvitation = await responsePromisePatchInvitation;
+    expect(responsePatchInvitation.ok()).toBeTruthy();
+
     const moreActions = userInvitation.getByRole('button', {
       name: 'Open invitation actions menu',
     });