From f30b4bcafdd25fa43bcabbd58476fc5bca070e2c Mon Sep 17 00:00:00 2001
From: Eugene Burmakin <iamfrey@gmail.com>
Date: Sun, 28 Sep 2025 18:50:02 +0200
Subject: [PATCH] Use id to cancel invitations

---
 app/controllers/family_invitations_controller.rb | 9 +++++++--
 app/views/families/show.html.erb                 | 2 +-
 spec/requests/family_invitations_spec.rb         | 7 +++----
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/app/controllers/family_invitations_controller.rb b/app/controllers/family_invitations_controller.rb
index 9eeab058..8323b589 100644
--- a/app/controllers/family_invitations_controller.rb
+++ b/app/controllers/family_invitations_controller.rb
@@ -4,7 +4,8 @@ class FamilyInvitationsController < ApplicationController
   before_action :authenticate_user!, except: %i[show accept]
   before_action :ensure_family_feature_enabled!, except: %i[show accept]
   before_action :set_family, except: %i[show accept]
-  before_action :set_invitation, only: %i[show accept destroy]
+  before_action :set_invitation_by_token, only: %i[show accept]
+  before_action :set_invitation_by_id, only: %i[destroy]
 
   def index
     authorize @family, :show?
@@ -106,10 +107,14 @@ class FamilyInvitationsController < ApplicationController
     redirect_to families_path, alert: 'Family not found' and return unless @family
   end
 
-  def set_invitation
+  def set_invitation_by_token
     @invitation = FamilyInvitation.find_by!(token: params[:id])
   end
 
+  def set_invitation_by_id
+    @invitation = @family.family_invitations.find(params[:id])
+  end
+
   def invitation_params
     params.require(:family_invitation).permit(:email)
   end
diff --git a/app/views/families/show.html.erb b/app/views/families/show.html.erb
index b4060867..5fb8c12f 100644
--- a/app/views/families/show.html.erb
+++ b/app/views/families/show.html.erb
@@ -106,7 +106,7 @@
                 <% if policy(@family).manage_invitations? %>
                   <%= link_to family_invitation_path(@family, invitation),
                         method: :delete,
-                        confirm: 'Are you sure you want to cancel this invitation?',
+                        data: { confirm: 'Are you sure you want to cancel this invitation?', turbo_confirm: 'Are you sure you want to cancel this invitation?' },
                         class: "text-red-600 hover:text-red-800 dark:text-red-400 dark:hover:text-red-300 text-sm font-medium" do %>
                     Cancel
                   <% end %>
diff --git a/spec/requests/family_invitations_spec.rb b/spec/requests/family_invitations_spec.rb
index 3712129c..2ac273f9 100644
--- a/spec/requests/family_invitations_spec.rb
+++ b/spec/requests/family_invitations_spec.rb
@@ -240,14 +240,13 @@ RSpec.describe 'Family Invitations', type: :request do
     before { sign_in user }
 
     it 'cancels the invitation' do
-      delete "/families/#{family.id}/invitations/#{invitation.token}"
+      delete "/families/#{family.id}/invitations/#{invitation.id}"
       invitation.reload
       expect(invitation.status).to eq('cancelled')
-      expect(response).to redirect_to(family_path(family))
     end
 
     it 'redirects with success message' do
-      delete "/families/#{family.id}/invitations/#{invitation.token}"
+      delete "/families/#{family.id}/invitations/#{invitation.id}"
       expect(response).to redirect_to(family_path(family))
       follow_redirect!
       expect(response.body).to include('Invitation cancelled')
@@ -257,7 +256,7 @@ RSpec.describe 'Family Invitations', type: :request do
       before { membership.update!(role: :member) }
 
       it 'redirects due to authorization failure' do
-        delete "/families/#{family.id}/invitations/#{invitation.token}"
+        delete "/families/#{family.id}/invitations/#{invitation.id}"
         expect(response).to have_http_status(:see_other)
         expect(flash[:alert]).to include('not authorized')
       end