feat(transaction): add support for file attachments using Active Storage (#713)

* feat(transaction): add support for file attachments using Active Storage

* feat(attachments): implement transaction attachments with upload, show, and delete functionality

* feat(attachments): enhance attachment upload functionality to support multiple files and improved error handling

* feat(attachments): add attachment upload form and display functionality in transaction views

* feat(attachments): implement attachment validation for count, size, and content type; enhance upload form with validation hints

* fix(attachments): use correct UI components

* feat(attachments): Implement Turbo Stream responses for creating and deleting transaction attachments.

* fix(attachments): include auth in activestorage controller

* test(attachments): add test coverage for turbostream and auth

* feat(attachments): extract strings to i18n

* fix(attachments): ensure only newly added attachments are purged when transaction validation fails.

* fix(attachments): validate attachment params

* refactor(attachments): use stimulus declarative actions

* fix(attachments): add auth for other representations

* refactor(attachments): use Browse component for attachment uploads

* fix(attachments): reject empty values on attachment upload

* fix(attachments): hide the upload form if reached max uploads

* fix(attachments): correctly purge only newly added attachments on upload failure

* fix(attachments): ensure attachment count limit is respected within a transaction lock

* fix(attachments): update attachment parameter handling to avoid `ParameterMissing` errors.

* fix(components): adjust icon_only logic for buttonish

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>

test/integration/active_storage_authorization_test.rb

@@ -0,0 +1,58 @@
+require "test_helper"
+
+class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
+  setup do
+    @user_a = users(:family_admin) # In dylan_family
+    @user_b = users(:empty) # In empty family
+
+    @transaction_a = transactions(:one) # Assuming it belongs to dylan_family via its entry/account
+    @transaction_a.attachments.attach(
+      io: StringIO.new("Family A Secret Receipt"),
+      filename: "receipt.pdf",
+      content_type: "application/pdf"
+    )
+    @attachment_a = @transaction_a.attachments.first
+  end
+
+  test "user can access attachments within their own family" do
+    sign_in @user_a
+
+    # Get the redirect URL from our controller
+    get transaction_attachment_path(@transaction_a, @attachment_a)
+    assert_response :redirect
+
+    # Follow the redirect to ActiveStorage::Blobs::RedirectController
+    follow_redirect!
+
+    # In test/local environment, it will redirect again to a disk URL
+    assert_response :redirect
+    assert_match(/rails\/active_storage\/disk/, response.header["Location"])
+  end
+
+  test "user cannot access attachments from a different family" do
+    sign_in @user_b
+
+    # Even if they find the signed global ID (which is hard but possible),
+    # the monkey patch should block them at the blob controller level.
+    # We bypass our controller and go straight to the blob serving URL to test the security layer
+    get rails_blob_path(@attachment_a)
+
+    # The monkey patch raises ActiveRecord::RecordNotFound which rails converts to 404
+    assert_response :not_found
+  end
+
+  test "user cannot access variants from a different family" do
+    # Attach an image to test variants
+    file = File.open(Rails.root.join("test/fixtures/files/square-placeholder.png"))
+    @transaction_a.attachments.attach(io: file, filename: "test.png", content_type: "image/png")
+    attachment = @transaction_a.attachments.last
+    variant = attachment.variant(resize_to_limit: [ 100, 100 ]).processed
+
+    sign_in @user_b
+
+    # Straight to the representation URL
+    get rails_representation_path(variant)
+
+    assert_response :not_found
+  end
+end