Family sharing (#1272)

* Initial account sharing changes * Update schema.rb * Update schema.rb * Change sharing UI to modal * UX fixes and sharing controls * Scope include in finances better * Update totals.rb * Update totals.rb * Scope reports to finance account scope * Update impersonation_sessions_controller_test.rb * Review fixes * Update schema.rb * Update show.html.erb * FIX db validation * Refine edit permissions * Review items * Review * Review * Add application level helper * Critical review * Address remaining review items * Fix modals * more scoping * linter * small UI fix * Fix: Sync broadcasts push unscoped balance sheet to all users * Update sync_complete_event.rb The fix removes the sidebar broadcasts (which rendered unscoped account groups using family.balance_sheet without user context) along with the now-unused sidebar_targets, account_group, and family_balance_sheet private methods. The sidebar will still update correctly — when the sync completes, Family::SyncCompleteEvent#broadcast fires family.broadcast_refresh, which triggers a morph-based page refresh for each user with their own authenticated session, rendering properly scoped sidebar content.
2026-04-19 03:54:08 +00:00 · 2026-03-25 10:50:23 +01:00
parent 6cf7d20010
commit 560c9fbff3
75 changed files with 1520 additions and 401 deletions
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -1,10 +1,15 @@
 class AccountsController < ApplicationController
-  before_action :set_account, only: %i[sync sparkline toggle_active set_default remove_default show destroy unlink confirm_unlink select_provider]
+  include StreamExtensions
+
+  before_action :set_account, only: %i[show sparkline sync set_default remove_default]
+  before_action :set_manageable_account, only: %i[toggle_active destroy unlink confirm_unlink select_provider]
  include Periodable

  def index
+    @accessible_account_ids = Current.user.accessible_accounts.pluck(:id)
    @manual_accounts = family.accounts
          .listable_manual
+          .where(id: @accessible_account_ids)
          .order(:name)
    @plaid_items = family.plaid_items.ordered.includes(:syncs, :plaid_accounts)
    @simplefin_items = family.simplefin_items.ordered.includes(:syncs)
@@ -200,7 +205,19 @@ class AccountsController < ApplicationController
    end

    def set_account
-      @account = family.accounts.find(params[:id])
+      @account = Current.user.accessible_accounts.find(params[:id])
+    end
+
+    def set_manageable_account
+      @account = Current.user.accessible_accounts.find(params[:id])
+      permission = @account.permission_for(Current.user)
+      unless permission.in?([ :owner, :full_control ])
+        respond_to do |format|
+          format.html { redirect_to account_path(@account), alert: t("accounts.not_authorized") }
+          format.turbo_stream { stream_redirect_to(account_path(@account), alert: t("accounts.not_authorized")) }
+        end
+        nil
+      end
    end

    # Builds sync stats maps for all provider types to avoid N+1 queries in views