From b1a7c3223760ebb0c39c3e348d9b92ae14a734df Mon Sep 17 00:00:00 2001
From: Anton Krytskyi <ant.krytskyi@gmail.com>
Date: Mon, 2 Jun 2025 15:37:20 +0300
Subject: [PATCH 1/2] pass user permissions when reject access request

---
 website/templates/project/contributors.mako | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/website/templates/project/contributors.mako b/website/templates/project/contributors.mako
index d58a04f7bd7..6c0649df0f7 100644
--- a/website/templates/project/contributors.mako
+++ b/website/templates/project/contributors.mako
@@ -433,7 +433,12 @@
                            visible: visible()
                        })}"
                 ><i class="fa fa-plus"></i> Add</button>
-                <span data-bind="click: function() {respondToAccessRequest('reject')}, visible: !$root.collapsed()"><i class="fa fa-times fa-2x remove-or-reject"></i></span>
+                <span
+                    data-bind="click: function() {respondToAccessRequest('reject', {
+                        permissions: permission(),
+                        visible: !$root.collapsed()
+                    })}"
+                ><i class="fa fa-times fa-2x remove-or-reject"></i></span>
                 <button class="btn btn-default btn-sm m-l-md" data-bind="click: function() {respondToAccessRequest('reject')}, visible: $root.collapsed()"><i class="fa fa-times"></i> Remove</button>
             </div>
         </td>

From 16aece0b3a2b2b02bd2f6c9b753a7ec70c360dff Mon Sep 17 00:00:00 2001
From: Anton Krytskyi <ant.krytskyi@gmail.com>
Date: Tue, 3 Jun 2025 15:28:32 +0300
Subject: [PATCH 2/2] don't pass permission parameter explicitly; add data
 default value

---
 website/static/js/accessRequestManager.js   | 2 ++
 website/templates/project/contributors.mako | 4 +---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/website/static/js/accessRequestManager.js b/website/static/js/accessRequestManager.js
index 96446cd3a34..bed7b65696f 100644
--- a/website/static/js/accessRequestManager.js
+++ b/website/static/js/accessRequestManager.js
@@ -62,6 +62,8 @@ var AccessRequestModel = function(accessRequest, pageOwner, isRegistration, isPa
     self.respondToAccessRequest = function(trigger, data, event) {
         $osf.trackClick('button', 'click', trigger + '-project-access');
         $osf.block();
+        data = data || {};
+
         var requestUrl = $osf.apiV2Url('actions/requests/nodes/');
         var payload = self.requestAccessPayload(trigger, data.permissions, data.visible);
         var request = $osf.ajaxJSON(
diff --git a/website/templates/project/contributors.mako b/website/templates/project/contributors.mako
index 6c0649df0f7..1736d73cf53 100644
--- a/website/templates/project/contributors.mako
+++ b/website/templates/project/contributors.mako
@@ -433,9 +433,7 @@
                            visible: visible()
                        })}"
                 ><i class="fa fa-plus"></i> Add</button>
-                <span
-                    data-bind="click: function() {respondToAccessRequest('reject', {
-                        permissions: permission(),
+                <span data-bind="click: function() {respondToAccessRequest('reject', {
                         visible: !$root.collapsed()
                     })}"
                 ><i class="fa fa-times fa-2x remove-or-reject"></i></span>