fix(sharing): scope import account selects to accessible_by (#1803)

Three CSV / QIF account selects in import/uploads/show.html.erb and one
PDF-import account select in imports/_pdf_import.html.erb pulled their
options from `@import.family.accounts`. That listed every account in
the family — including the family admin's unshared personal accounts —
in the dropdown shown to any member running an import. Swap each call
site to `Current.user.accessible_accounts` (owned + explicitly shared
accounts only), matching the existing scoping used by the dashboard
sidebar, transactions controller, transfers controller, etc.

Adds a regression test that signs in as family_member and asserts the
unshared-account names from the dylan_family fixtures never appear in
the rendered upload page.
This commit is contained in:
dripsmvcp
2026-06-05 10:28:43 +09:00
parent 96079188a2
commit e4e64ec82f
3 changed files with 20 additions and 4 deletions

View File

@@ -35,6 +35,22 @@ class Import::UploadsControllerTest < ActionDispatch::IntegrationTest
assert_equal "CSV uploaded successfully.", flash[:notice]
end
test "account select does not leak unshared family accounts (#1803)" do
sign_in users(:family_member)
get import_upload_url(@import)
assert_response :success
assert_match "Checking Account", response.body,
"Expected the shared account to appear in the account select"
refute_match "Collectable Account", response.body,
"Account select must not leak unshared assets to a non-owner family member"
refute_match "IOU (personal debt to friend)", response.body,
"Account select must not leak unshared liabilities to a non-owner family member"
refute_match "Plaid Depository Account", response.body,
"Account select must not leak unshared connected accounts to a non-owner family member"
end
test "invalid csv cannot be uploaded" do
patch import_upload_url(@import), params: {
import: {