Providers sharing (#1273)

* third party provider scoping * Simplify logic and allow only admins to mange providers * Broadcast fixes * FIX tests and build * Fixes * Reviews * Scope merchants * DRY fixes
2026-06-07 19:59:00 +00:00 · 2026-03-25 17:47:04 +01:00
parent 1627cf197b
commit 9410e5b38d
74 changed files with 588 additions and 583 deletions
--- a/app/controllers/transfers_controller.rb
+++ b/app/controllers/transfers_controller.rb
@@ -24,14 +24,8 @@ class TransfersController < ApplicationController
    source_account = accessible_accounts.find(transfer_params[:from_account_id])
    destination_account = accessible_accounts.find(transfer_params[:to_account_id])

-    unless source_account.permission_for(Current.user).in?([ :owner, :full_control ]) &&
-           destination_account.permission_for(Current.user).in?([ :owner, :full_control ])
-      respond_to do |format|
-        format.html { redirect_back_or_to transactions_path, alert: t("accounts.not_authorized") }
-        format.turbo_stream { stream_redirect_back_or_to(transactions_path, alert: t("accounts.not_authorized")) }
-      end
-      return
-    end
+    return unless require_account_permission!(source_account, redirect_path: transactions_path)
+    return unless require_account_permission!(destination_account, redirect_path: transactions_path)

    @transfer = Transfer::Creator.new(
      family: Current.family,
@@ -55,14 +49,7 @@ class TransfersController < ApplicationController

  def update
    outflow_account = @transfer.outflow_transaction.entry.account
-    permission = outflow_account.permission_for(Current.user)
-    unless permission.in?([ :owner, :full_control ])
-      respond_to do |format|
-        format.html { redirect_back_or_to transactions_url, alert: t("accounts.not_authorized") }
-        format.turbo_stream { stream_redirect_back_or_to(transactions_url, alert: t("accounts.not_authorized")) }
-      end
-      return
-    end
+    return unless require_account_permission!(outflow_account, redirect_path: transactions_url)

    Transfer.transaction do
      update_transfer_status
@@ -76,16 +63,8 @@ class TransfersController < ApplicationController
  end

  def destroy
-    # Require write permission on at least the outflow account
    outflow_account = @transfer.outflow_transaction.entry.account
-    permission = outflow_account.permission_for(Current.user)
-    unless permission.in?([ :owner, :full_control ])
-      respond_to do |format|
-        format.html { redirect_back_or_to transactions_url, alert: t("accounts.not_authorized") }
-        format.turbo_stream { stream_redirect_back_or_to(transactions_url, alert: t("accounts.not_authorized")) }
-      end
-      return
-    end
+    return unless require_account_permission!(outflow_account, redirect_path: transactions_url)

    @transfer.destroy!
    redirect_back_or_to transactions_url, notice: t(".success")