Surfaces a "Inviter" button in Settings → Utilisateurs that, in one
round-trip:
1. Creates the Authentik user (random password, requested OPS_GROUPS,
auto username from local-part of email with collision suffix).
2. Triggers Authentik's recovery email so the user picks their own
password on first login. If the Email stage isn't configured,
falls back to /core/users/{pk}/recovery/ which returns a one-time
URL the admin can copy + send via SMS or Slack.
3. Creates the matching ERPNext System User with the requested
roles (default: Employee) and `social_logins=[{provider:authentik,
userid:email}]` so OAuth2 finds them on first SSO login.
send_welcome_email=1 also fires Frappe's invite mail.
Idempotent on both sides: if the Authentik user already exists, we
PATCH the requested groups; if the ERPNext User exists, we skip the
POST and return existing=true. Lets the admin re-invite somebody
after a botched first try without breaking anything.
UI:
• "Inviter" button next to the user search bar, gated by the
`manage_users` capability (existing pattern).
• q-dialog with full_name + email + chip-pickable Authentik groups
(admin/sysadmin/tech/support/comptabilite/facturation/dev) + a
comma-separated ERPNext roles input (defaults to Employee).
• Optimistic insert into the visible list on success; the next
search reconciles.
81d61aa9d9