The Petition Finalization notification message has a source URL to the co_petitions_controller view method for that petition. However, users are not allowed to view petitions.
The default notification message template puts the source URL in the email message. Clicking on that link will give the user a 'Permission denied' flash message and redirect them to the home page.
Entering a customised template in the finalization notification template field for an enrollment flow will work around this, but disallows using relevant identifiers. It would be, for example, much more worthwhile to allow the user to view and change his own CoPerson information after completing the enrollment. However, changing the source URL of the notification message to that effect removes the actual source from the notification itself.
Possible solutions might include:
- allowing users to view their own petitions
- adding a 'related-url' field to the notification to accomodate such 'related' urls
- expanding the number of substitutions on the templates with CoPerson id, group id, etc., so that more complex URLs can be formed in the enrollment flow template.
The first option would fix the issue directly. The other options require that the default notification message for a finalization notification is changed to display the relevant, authorised links.