Org: Improves robustness of reject view for reservations

Previously it was possible to accidentally reject all reservations if
a link was clicked multiple times or the ticket was opened in multiple
tabs.

TYPE: Bugfix
LINK: OGC-3072

Author: Daverball

src/onegov/org/locale/de_CH/LC_MESSAGES/onegov.org.po

@@ -2,7 +2,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE 1.0\n"
-"POT-Creation-Date: 2026-03-25 11:20+0100\n"
+"POT-Creation-Date: 2026-03-31 12:57+0200\n"
 "PO-Revision-Date: 2022-03-15 10:21+0100\n"
 "Last-Translator: Marc Sommerhalder <marc.sommerhalder@seantis.ch>\n"
 "Language-Team: German\n"
@@ -7374,6 +7374,9 @@ msgstr ""
 "Die folgende Nachricht wird an ${address} gesendet und als zukünftige "
 "Referenz gespeichert."
 
+msgid "The targeted reservation no longer exists"
+msgstr "Die Reservation existiert nicht oder wurde bereits abgelehnt"
+
 msgid ""
 "The payment associated with this reservation needs to be refunded before the "
 "reservation can be rejected"

src/onegov/org/locale/fr_CH/LC_MESSAGES/onegov.org.po

@@ -2,7 +2,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE 1.0\n"
-"POT-Creation-Date: 2026-03-25 11:20+0100\n"
+"POT-Creation-Date: 2026-03-31 12:57+0200\n"
 "PO-Revision-Date: 2022-03-15 10:50+0100\n"
 "Last-Translator: Marc Sommerhalder <marc.sommerhalder@seantis.ch>\n"
 "Language-Team: French\n"
@@ -7386,6 +7386,9 @@ msgstr ""
 "Le message suivant sera envoyé à ${adresse} et sera enregistré pour des "
 "références futures."
 
+msgid "The targeted reservation no longer exists"
+msgstr "La réservation n'existe plus ou a déjà été refusée"
+
 msgid ""
 "The payment associated with this reservation needs to be refunded before the "
 "reservation can be rejected"

src/onegov/org/locale/it_CH/LC_MESSAGES/onegov.org.po

@@ -2,7 +2,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: \n"
-"POT-Creation-Date: 2026-03-25 11:20+0100\n"
+"POT-Creation-Date: 2026-03-31 12:57+0200\n"
 "PO-Revision-Date: 2022-03-15 10:52+0100\n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -7349,6 +7349,9 @@ msgstr ""
 "Il seguente messaggio verrà inviato a ${address} e sarà registrato per "
 "riferimento futuro."
 
+msgid "The targeted reservation no longer exists"
+msgstr "La prenotazione non esiste più o è già stata rifiutata"
+
 msgid ""
 "The payment associated with this reservation needs to be refunded before the "
 "reservation can be rejected"

src/onegov/org/views/reservation.py

@@ -1235,26 +1235,40 @@ def reject_reservation(
     view_ticket: ReservationTicket | None = None
 ) -> Response | None:
 
+    def respond() -> Response | None:
+        # return none on intercooler js requests
+        if not request.headers.get('X-IC-Request'):
+            if view_ticket is not None:
+                return request.redirect(request.link(view_ticket))
+            return request.redirect(request.link(self))
+        return None
+
     token = self.token
     resource = request.app.libres_resources.by_reservation(self)
     assert resource is not None
     reservation_id_str = request.params.get('reservation-id')
-    if isinstance(reservation_id_str, str) and reservation_id_str.isdigit():
-        reservation_id = int(reservation_id_str)
-    else:
-        reservation_id = 0
-
     all_reservations: list[Reservation] = (
         resource.scheduler.reservations_by_token(token)  # type:ignore
         .order_by(Reservation.start).all()
     )
-
     targeted: Sequence[Reservation]
-    targeted = tuple(r for r in all_reservations if r.id == reservation_id)
-    targeted = targeted or all_reservations
-    excluded = tuple(r for r in all_reservations if r.id not in {
-        r.id for r in targeted
-    })
+    if reservation_id_str is not None:
+        if not (
+            isinstance(reservation_id_str, str)
+            and reservation_id_str.isdigit()
+        ):
+            raise exc.HTTPBadRequest()
+
+        reservation_id = int(reservation_id_str)
+        targeted = tuple(r for r in all_reservations if r.id == reservation_id)
+        if not targeted:
+            request.warning(_('The targeted reservation no longer exists'))
+            return respond()
+    else:
+        targeted = all_reservations
+
+    targeted_ids = {r.id for r in targeted}
+    excluded = tuple(r for r in all_reservations if r.id not in targeted_ids)
 
     forms = FormCollection(request.session)
     submission = forms.submissions.by_id(token)
@@ -1277,12 +1291,7 @@ def reject_reservation(
             'to be refunded before the reservation can be rejected'
         ))
 
-        if not request.headers.get('X-IC-Request'):
-            if view_ticket is not None:
-                return request.redirect(request.link(view_ticket))
-            return request.redirect(request.link(self))
-
-        return None
+        return respond()
 
     savepoint = transaction.savepoint()
     ReservationMessage.create(targeted, ticket, request, 'rejected')
@@ -1441,12 +1450,7 @@ def email_iter() -> Iterator[EmailJsonDict]:
             'but the payment is no longer open.'
         ))
 
-    # return none on intercooler js requests
-    if not request.headers.get('X-IC-Request'):
-        if view_ticket is not None:
-            return request.redirect(request.link(view_ticket))
-        return request.redirect(request.link(self))
-    return None
+    return respond()
 
 
 @OrgApp.view(