diff --git a/app/main/views/invites.py b/app/main/views/invites.py index 3d9544b8e..2da6db406 100644 --- a/app/main/views/invites.py +++ b/app/main/views/invites.py @@ -6,6 +6,7 @@ from flask import ( render_template, abort ) +from markupsafe import Markup from app.main import main @@ -24,14 +25,16 @@ def accept_invite(token): invited_user = invite_api_client.check_token(token) if not current_user.is_anonymous() and current_user.email_address != invited_user.email_address: - flash(""" + message = Markup(""" You’re signed in as {}. This invite is for another email address. - Sign out and click the link again to accept this invite. - """.format( + Sign out and click the link again to accept this invite. + """.format( current_user.email_address, - url_for("main.sign_out") - )) + url_for("main.sign_out", _external=True))) + + flash(message=message) + abort(403) if invited_user.status == 'cancelled': diff --git a/tests/app/main/views/test_accept_invite.py b/tests/app/main/views/test_accept_invite.py index d81fd6d28..936c8d3c4 100644 --- a/tests/app/main/views/test_accept_invite.py +++ b/tests/app/main/views/test_accept_invite.py @@ -287,7 +287,7 @@ def test_signed_in_existing_user_cannot_use_anothers_invite(app_, banner_contents = flash_banners[0].text.strip() assert "You’re signed in as test@user.gov.uk." in banner_contents assert "This invite is for another email address." in banner_contents - assert "Sign out and click the link again to accept this invite." in banner_contents + assert "Sign out and click the link again to accept this invite." in banner_contents assert mock_accept_invite.call_count == 0