Providers sharing (#1273)

* third party provider scoping * Simplify logic and allow only admins to mange providers * Broadcast fixes * FIX tests and build * Fixes * Reviews * Scope merchants * DRY fixes
2026-04-17 11:04:14 +00:00 · 2026-03-25 17:47:04 +01:00
parent 1627cf197b
commit 9410e5b38d
74 changed files with 588 additions and 583 deletions
--- a/app/controllers/api/v1/accounts_controller.rb
+++ b/app/controllers/api/v1/accounts_controller.rb
@@ -9,7 +9,7 @@ class Api::V1::AccountsController < Api::V1::BaseController
  def index
    # Test with Pagy pagination
    family = current_resource_owner.family
-    accounts_query = family.accounts.visible.alphabetically
+    accounts_query = family.accounts.accessible_by(current_resource_owner).visible.alphabetically

    # Handle pagination with Pagy
    @pagy, @accounts = pagy(
--- a/app/controllers/api/v1/merchants_controller.rb
+++ b/app/controllers/api/v1/merchants_controller.rb
@@ -22,10 +22,15 @@ module Api
      # @return [Array<Hash>] JSON array of merchant objects
      def index
        family = current_resource_owner.family
+        user = current_resource_owner

        # Single query with OR conditions - more efficient than Ruby deduplication
        family_merchant_ids = family.merchants.select(:id)
-        provider_merchant_ids = family.transactions.select(:merchant_id)
+        accessible_account_ids = family.accounts.accessible_by(user).select(:id)
+        provider_merchant_ids = Transaction.joins(:entry)
+          .where(entries: { account_id: accessible_account_ids })
+          .where.not(merchant_id: nil)
+          .select(:merchant_id)

        @merchants = Merchant
          .where(id: family_merchant_ids)
@@ -48,10 +53,11 @@ module Api
      # @return [Hash] JSON merchant object or error
      def show
        family = current_resource_owner.family
+        user = current_resource_owner

        @merchant = family.merchants.find_by(id: params[:id]) ||
                    Merchant.joins(transactions: :entry)
-                            .where(entries: { account_id: family.accounts.select(:id) })
+                            .where(entries: { account_id: family.accounts.accessible_by(user).select(:id) })
                            .distinct
                            .find_by(id: params[:id])

--- a/app/controllers/api/v1/transactions_controller.rb
+++ b/app/controllers/api/v1/transactions_controller.rb
@@ -10,7 +10,9 @@ class Api::V1::TransactionsController < Api::V1::BaseController

  def index
    family = current_resource_owner.family
+    accessible_account_ids = family.accounts.accessible_by(current_resource_owner).select(:id)
    transactions_query = family.transactions.visible
+      .joins(:entry).where(entries: { account_id: accessible_account_ids })

    # Apply filters
    transactions_query = apply_filters(transactions_query)
@@ -76,7 +78,7 @@ class Api::V1::TransactionsController < Api::V1::BaseController
      return
    end

-    account = family.accounts.find(transaction_params[:account_id])
+    account = family.accounts.writable_by(current_resource_owner).find(transaction_params[:account_id])
    @entry = account.entries.new(entry_params_for_create)

    if @entry.save
@@ -177,7 +179,10 @@ end

    def set_transaction
      family = current_resource_owner.family
-      @transaction = family.transactions.find(params[:id])
+      @transaction = family.transactions
+        .joins(entry: :account)
+        .merge(Account.accessible_by(current_resource_owner))
+        .find(params[:id])
      @entry = @transaction.entry
    rescue ActiveRecord::RecordNotFound
      render json: {