Family sharing (#1272)

* Initial account sharing changes

* Update schema.rb

* Update schema.rb

* Change sharing UI to modal

* UX fixes and sharing controls

* Scope include in finances better

* Update totals.rb

* Update totals.rb

* Scope reports to finance account scope

* Update impersonation_sessions_controller_test.rb

* Review fixes

* Update schema.rb

* Update show.html.erb

* FIX db validation

* Refine edit permissions

* Review items

* Review

* Review

* Add application level helper

* Critical review

* Address remaining review items

* Fix modals

* more scoping

* linter

* small UI fix

* Fix: Sync broadcasts push unscoped balance sheet to all users

* Update sync_complete_event.rb

 The fix removes the sidebar broadcasts (which rendered unscoped account groups using family.balance_sheet without user context)
  along with the now-unused sidebar_targets, account_group, and family_balance_sheet private methods.

  The sidebar will still update correctly — when the sync completes, Family::SyncCompleteEvent#broadcast fires family.broadcast_refresh, which triggers a
  morph-based page refresh for each user with their own authenticated session, rendering properly scoped sidebar content.

app/controllers/concerns/entryable_resource.rb

@@ -5,13 +5,15 @@ module EntryableResource
     include StreamExtensions, ActionView::RecordIdentifier
 
     before_action :set_entry, only: %i[show update destroy]
+
+    helper_method :can_edit_entry?, :can_annotate_entry?
   end
 
   def show
   end
 
   def new
-    account = Current.family.accounts.find_by(id: params[:account_id])
+    account = accessible_accounts.find_by(id: params[:account_id])
 
     @entry = Current.family.entries.new(
       account: account,
@@ -29,11 +31,18 @@ module EntryableResource
   end
 
   def destroy
-    account = @entry.account
+    unless can_edit_entry?
+      respond_to do |format|
+        format.html { redirect_back_or_to account_path(@entry.account), alert: t("accounts.not_authorized") }
+        format.turbo_stream { stream_redirect_back_or_to(account_path(@entry.account), alert: t("accounts.not_authorized")) }
+      end
+      return
+    end
+
     @entry.destroy!
     @entry.sync_account_later
 
-    redirect_back_or_to account_path(account), notice: t("account.entries.destroy.success")
+    redirect_back_or_to account_path(@entry.account), notice: t("account.entries.destroy.success")
   end
 
   private
@@ -42,6 +51,21 @@ module EntryableResource
     end
 
     def set_entry
-      @entry = Current.family.entries.find(params[:id])
+      @entry = Current.family.entries
+                 .joins(:account)
+                 .merge(Account.accessible_by(Current.user))
+                 .find(params[:id])
+    end
+
+    def entry_permission
+      @entry_permission ||= @entry&.account&.permission_for(Current.user)
+    end
+
+    def can_edit_entry?
+      entry_permission.in?([ :owner, :full_control ])
+    end
+
+    def can_annotate_entry?
+      entry_permission.in?([ :owner, :full_control, :read_write ])
     end
 end