fix(goals): scope funding-account picker to the current user's accessible accounts (#2172)

* fix(goals): scope funding-account picker to the current user's accessible accounts

The new/edit goal funding picker and the linkable-account count queried
`Current.family.accounts`, so it listed (and would link/fund from) every
depository account in the family — including accounts owned by other
members that aren't shared with the current user. Switch the three
queries (index count, lookup, picker list) to
`Current.user.accessible_accounts`, matching the access boundary used
elsewhere. Adds controller tests covering the new-form picker and the
create path rejecting a non-accessible same-family account.

Fixes #2168

* fix(goals): preserve inaccessible linked accounts on goal edit

The funding picker only renders Current.user.accessible_accounts, so a
family goal linked to another member's private account renders no
checkbox for it. On update, sync_linked_accounts! treated that omission
as an intentional removal and destroyed the link the editor could not
see. Restrict unlinking to the editor's accessible accounts so links
outside their access are preserved. Adds a regression test.

test/controllers/goals_controller_test.rb

@@ -90,6 +90,47 @@ class GoalsControllerTest < ActionDispatch::IntegrationTest
     assert_response :unprocessable_entity
   end
 
+  test "new form excludes same-family accounts not shared with the current user" do
+    # Regression for #2168: funding-account picker leaked accounts owned by
+    # other family members that were never shared with the current user.
+    private_account = Account.create!(
+      family: @user.family,
+      owner: users(:family_member),
+      accountable: Depository.new,
+      name: "Member Private Checking",
+      currency: "USD",
+      balance: 100
+    )
+
+    get new_goal_url
+    assert_response :success
+    assert_no_match(/Member Private Checking/, response.body)
+    assert_no_match(/goal_account_ids_#{private_account.id}/, response.body)
+  end
+
+  test "create rejects a same-family account not shared with the current user" do
+    private_account = Account.create!(
+      family: @user.family,
+      owner: users(:family_member),
+      accountable: Depository.new,
+      name: "Member Private Checking",
+      currency: "USD",
+      balance: 100
+    )
+
+    assert_no_difference "Goal.count" do
+      post goals_url, params: {
+        goal: {
+          name: "Sneaky goal",
+          target_amount: "1000",
+          color: "#4da568",
+          account_ids: [ private_account.id ]
+        }
+      }
+    end
+    assert_response :unprocessable_entity
+  end
+
   test "update modifies identity fields" do
     patch goal_url(@goal), params: { goal: { name: "Renamed" } }
     assert_redirected_to goal_path(@goal)
@@ -109,6 +150,28 @@ class GoalsControllerTest < ActionDispatch::IntegrationTest
     assert_equal [ @connected.id ], @goal.reload.goal_accounts.pluck(:account_id)
   end
 
+  test "update preserves a linked account the current user cannot access" do
+    # Regression for #2172 review: a family goal can be linked to a private
+    # account owned by another member. That account is never rendered in the
+    # picker, so its absence from the submitted set must not unlink it.
+    private_account = Account.create!(
+      family: @user.family,
+      owner: users(:family_member),
+      accountable: Depository.new,
+      name: "Member Private Checking",
+      currency: @goal.currency,
+      balance: 100
+    )
+    @goal.goal_accounts.create!(account: private_account)
+
+    patch goal_url(@goal), params: { goal: { account_ids: [ @depository.id ] } }
+
+    assert_redirected_to goal_path(@goal)
+    linked = @goal.reload.goal_accounts.pluck(:account_id)
+    assert_includes linked, private_account.id, "inaccessible private link must be preserved"
+    assert_includes linked, @depository.id
+  end
+
   test "update with empty account_ids re-renders with error" do
     patch goal_url(@goal), params: { goal: { account_ids: [ "" ] } }
     assert_response :unprocessable_entity