2 files changed, 25 insertions, 10 deletions

diff --git a/gn3/auth/authorisation/groups/models.py b/gn3/auth/authorisation/groups/models.py
index f78aedd..2a6f840 100644
--- a/gn3/auth/authorisation/groups/models.py
+++ b/gn3/auth/authorisation/groups/models.py
@@ -274,8 +274,10 @@ def join_requests(conn: db.DbConnection, user: User):
               error_description=("You do not have the appropriate authorisation"
                                  " to act upon the join requests."),
               oauth2_scope="profile group")
-def accept_join_request(conn: db.DbConnection, request_id: UUID, user: User):
-    """Accept a join request."""
+def accept_reject_join_request(
+        conn: db.DbConnection, request_id: UUID, user: User, status: str) -> dict:
+    """Accept/Reject a join request."""
+    assert status in ("ACCEPTED", "REJECTED"), f"Invalid status '{status}'."
     with db.cursor(conn) as cursor:
         group = user_group(cursor, user).maybe(DUMMY_GROUP, lambda grp: grp) # type: ignore[misc]
         cursor.execute("SELECT * FROM group_join_requests WHERE request_id=?",
@@ -288,13 +290,14 @@ def accept_join_request(conn: db.DbConnection, request_id: UUID, user: User):
                 if the_user == DUMMY_USER:
                     raise InconsistencyError(
                         "Could not find user associated with join request.")
-                add_user_to_group(cursor, group, the_user)
-                revoke_user_role_by_name(cursor, the_user, "group-creator")
+                if status == "ACCEPTED":
+                    add_user_to_group(cursor, group, the_user)
+                    revoke_user_role_by_name(cursor, the_user, "group-creator")
                 cursor.execute(
-                    "UPDATE group_join_requests SET status='ACCEPTED' "
+                    "UPDATE group_join_requests SET status=? "
                     "WHERE request_id=?",
-                    (str(request_id),))
-                return {"request_id": request_id, "status": "ACCEPTED"}
+                    (status, str(request_id)))
+                return {"request_id": request_id, "status": status}
             raise AuthorisationError(
                 "You cannot act on other groups join requests")
         raise NotFoundError(f"Could not find request with ID '{request_id}'")
diff --git a/gn3/auth/authorisation/groups/views.py b/gn3/auth/authorisation/groups/views.py
index f12c75c..d3710f6 100644
--- a/gn3/auth/authorisation/groups/views.py
+++ b/gn3/auth/authorisation/groups/views.py
@@ -10,8 +10,8 @@ from gn3.auth.dictify import dictify
 from gn3.auth.db_utils import with_db_connection
 
 from .models import (
-    user_group, all_groups, join_requests, accept_join_request,
-    GroupCreationError, group_users as _group_users,
+    user_group, all_groups, join_requests, GroupCreationError,
+    accept_reject_join_request, group_users as _group_users,
     create_group as _create_group)
 
 from ..errors import AuthorisationError
@@ -115,4 +115,16 @@ def accept_join_requests() -> Response:
         form = request.form
         request_id = uuid.UUID(form.get("request_id"))
         return jsonify(with_db_connection(partial(
-            accept_join_request, request_id=request_id, user=the_token.user)))
+            accept_reject_join_request, request_id=request_id,
+            user=the_token.user, status="ACCEPTED")))
+
+@groups.route("/requests/join/reject", methods=["POST"])
+@require_oauth("profile group")
+def reject_join_requests() -> Response:
+    """Reject a join request."""
+    with require_oauth.acquire("profile group") as the_token:
+        form = request.form
+        request_id = uuid.UUID(form.get("request_id"))
+        return jsonify(with_db_connection(partial(
+            accept_reject_join_request, request_id=request_id,
+            user=the_token.user, status="REJECTED")))