fix: approval inbox AJAX 500 on anonymous submissions

The inbox and completed-approvals DataTables endpoints, plus the
inbox Excel export, accessed sub.submitter.get_full_name() directly,
which raised AttributeError: 'NoneType' object has no attribute
'get_full_name' for submissions made through public/anonymous forms.

Introduce a _submitter_label() helper that returns "Anonymous" when
the submission has no submitter and use it in the three unsafe
sites. Other callers across the package already had None guards.

Regression test: TestApprovalInboxView.test_approval_inbox_ajax_handles_anonymous_submitter.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: matteius

django_forms_workflows/views.py

@@ -3679,7 +3679,7 @@ def bulk_export_submissions(request):
             ws.cell(
                 row=row_idx,
                 column=2,
-                value=sub.submitter.get_full_name() or sub.submitter.username,
+                value=_submitter_label(sub),
             )
             ws.cell(row=row_idx, column=3, value=sub.get_status_display())
             ws.cell(
@@ -3938,6 +3938,16 @@ def _cat_html(cat):
     return f"{icon}{escape(cat.name)}"
 
 
+def _submitter_label(submission):
+    """Return a display name for a submission's submitter, or "Anonymous"
+    when the submission was made through a public/anonymous form.
+    Callers should escape() the result if rendering into HTML."""
+    user = submission.submitter
+    if user is None:
+        return "Anonymous"
+    return user.get_full_name() or user.username
+
+
 # ---------------------------------------------------------------------------
 # AJAX: completed_approvals
 # ---------------------------------------------------------------------------
@@ -4066,9 +4076,7 @@ def completed_approvals_ajax(request):
             ),
             "category": _cat_html(getattr(sub.form_definition, "category", None)),
             "form": escape(sub.form_definition.name),
-            "submitter": escape(
-                sub.submitter.get_full_name() or sub.submitter.username
-            ),
+            "submitter": escape(_submitter_label(sub)),
             "status": _STATUS_BADGE.get(
                 sub.status,
                 f'<span class="badge bg-light text-dark">{escape(sub.status)}</span>',
@@ -4212,9 +4220,7 @@ def approval_inbox_ajax(request):
                 f'<i class="bi bi-eye"></i> View</a>'
             ),
             "form": escape(sub.form_definition.name),
-            "submitter": escape(
-                sub.submitter.get_full_name() or sub.submitter.username
-            ),
+            "submitter": escape(_submitter_label(sub)),
             "step_num": escape(stage_name),
             "assigned": escape(
                 task.assigned_group.name

tests/test_views.py

@@ -141,6 +141,29 @@ def test_approval_inbox(self, auth_client, user, submission, approval_group):
         resp = auth_client.get(url)
         assert resp.status_code == 200
 
+    def test_approval_inbox_ajax_handles_anonymous_submitter(
+        self, auth_client, user, form_with_fields, approval_group
+    ):
+        user.groups.add(approval_group)
+        anon_sub = FormSubmission.objects.create(
+            form_definition=form_with_fields,
+            submitter=None,
+            form_data={"full_name": "Walk-in"},
+            status="submitted",
+        )
+        ApprovalTask.objects.create(
+            submission=anon_sub,
+            assigned_group=approval_group,
+            step_name="Review",
+            status="pending",
+        )
+        url = reverse("forms_workflows:approval_inbox_ajax")
+        resp = auth_client.post(url, {"draw": 1, "start": 0, "length": 10})
+        assert resp.status_code == 200
+        payload = resp.json()
+        assert payload["recordsTotal"] >= 1
+        assert any("Anonymous" in row["submitter"] for row in payload["data"])
+
 
 # ── withdraw_submission ──────────────────────────────────────────────────