nextcloud · Sam428-png · Mar 9, 2026
@@ -17,6 +17,7 @@
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\IDBConnection;
 use OCP\IRequest;
+use OCP\IURLGenerator;
 use Sabre\VObject\ITip\Message;
 use Sabre\VObject\Reader;
 
@@ -31,13 +32,15 @@ class InvitationResponseController extends Controller {
 	 * @param IDBConnection $db
 	 * @param ITimeFactory $timeFactory
 	 * @param InvitationResponseServer $responseServer
+	 * @param IURLGenerator $urlGenerator
 	 */
 	public function __construct(
 		string $appName,
 		IRequest $request,
 		private IDBConnection $db,
 		private ITimeFactory $timeFactory,
 		private InvitationResponseServer $responseServer,
+		private IURLGenerator $urlGenerator,
 	) {
 		parent::__construct($appName, $request);
 		// Don't run `$server->exec()`, because we just need access to the
@@ -57,14 +60,13 @@ public function accept(string $token):TemplateResponse {
 			return new TemplateResponse($this->appName, 'schedule-response-error', [], 'guest');
 		}
 
-		$iTipMessage = $this->buildITipResponse($row, 'ACCEPTED');
-		$this->responseServer->handleITipMessage($iTipMessage);
-		if ($iTipMessage->getScheduleStatus() === '1.2') {
-			return new TemplateResponse($this->appName, 'schedule-response-success', [], 'guest');
-		}
-
-		return new TemplateResponse($this->appName, 'schedule-response-error', [
-			'organizer' => $row['organizer'],
+		// Show confirmation page with ACCEPTED preselected.
+		// The actual action is only performed via POST (processMoreOptionsResult),
+		// which prevents email link scanners from triggering accept/decline.
+		return new TemplateResponse($this->appName, 'schedule-response-options', [
+			'token' => $token,
+			'preselect' => 'ACCEPTED',
+			'formAction' => $this->urlGenerator->linkToRoute('dav.invitation_response.processMoreOptionsResult', ['token' => $token]),
 		], 'guest');
 	}
 
@@ -80,15 +82,10 @@ public function decline(string $token):TemplateResponse {
 			return new TemplateResponse($this->appName, 'schedule-response-error', [], 'guest');
 		}
 
-		$iTipMessage = $this->buildITipResponse($row, 'DECLINED');
-		$this->responseServer->handleITipMessage($iTipMessage);
-
-		if ($iTipMessage->getScheduleStatus() === '1.2') {
-			return new TemplateResponse($this->appName, 'schedule-response-success', [], 'guest');
-		}
-
-		return new TemplateResponse($this->appName, 'schedule-response-error', [
-			'organizer' => $row['organizer'],
+		return new TemplateResponse($this->appName, 'schedule-response-options', [
+			'token' => $token,
+			'preselect' => 'DECLINED',
+			'formAction' => $this->urlGenerator->linkToRoute('dav.invitation_response.processMoreOptionsResult', ['token' => $token]),
 		], 'guest');
 	}
 
@@ -100,7 +97,8 @@ public function decline(string $token):TemplateResponse {
 	#[NoCSRFRequired]
 	public function options(string $token):TemplateResponse {
 		return new TemplateResponse($this->appName, 'schedule-response-options', [
-			'token' => $token
+			'token' => $token,
+			'formAction' => $this->urlGenerator->linkToRoute('dav.invitation_response.processMoreOptionsResult', ['token' => $token]),
 		], 'guest');
 	}
 

@@ -4,24 +4,32 @@
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
 \OCP\Util::addStyle('dav', 'schedule-response');
+$preselect = $_['preselect'] ?? 'ACCEPTED';
+$formAction = $_['formAction'];
 ?>
 
 <div class="guest-box">
-	<form action="" method="post">
+	<form action="<?php p($formAction); ?>" method="post">
 		<fieldset id="partStat">
 			<h2><?php p($l->t('Are you accepting the invitation?')); ?></h2>
 			<div id="selectPartStatForm">
-				<input type="radio" id="partStatAccept" name="partStat" value="ACCEPTED" checked />
+				<input type="radio" id="partStatAccept" name="partStat" value="ACCEPTED" <?php if ($preselect === 'ACCEPTED') {
+					echo 'checked';
+				} ?> />
 				<label for="partStatAccept">
 					<span><?php p($l->t('Accept')); ?></span>
 				</label>
 
-				<input type="radio" id="partStatTentative" name="partStat" value="TENTATIVE" />
+				<input type="radio" id="partStatTentative" name="partStat" value="TENTATIVE" <?php if ($preselect === 'TENTATIVE') {
+					echo 'checked';
+				} ?> />
 				<label for="partStatTentative">
 					<span><?php p($l->t('Tentative')); ?></span>
 				</label>
 
-				<input type="radio" class="declined" id="partStatDeclined" name="partStat" value="DECLINED" />
+				<input type="radio" class="declined" id="partStatDeclined" name="partStat" value="DECLINED" <?php if ($preselect === 'DECLINED') {
+					echo 'checked';
+				} ?> />
 				<label for="partStatDeclined">
 					<span><?php p($l->t('Decline')); ?></span>
 				</label>