mirror of
https://github.com/we-promise/sure.git
synced 2026-07-12 21:05:20 +00:00
fix(sharing): scope import account selects to accessible_by (#1803)
Three CSV / QIF account selects in import/uploads/show.html.erb and one PDF-import account select in imports/_pdf_import.html.erb pulled their options from `@import.family.accounts`. That listed every account in the family — including the family admin's unshared personal accounts — in the dropdown shown to any member running an import. Swap each call site to `Current.user.accessible_accounts` (owned + explicitly shared accounts only), matching the existing scoping used by the dashboard sidebar, transactions controller, transfers controller, etc. Adds a regression test that signs in as family_member and asserts the unshared-account names from the dylan_family fixtures never appear in the rendered upload page.
This commit is contained in:
@@ -35,6 +35,22 @@ class Import::UploadsControllerTest < ActionDispatch::IntegrationTest
|
||||
assert_equal "CSV uploaded successfully.", flash[:notice]
|
||||
end
|
||||
|
||||
test "account select does not leak unshared family accounts (#1803)" do
|
||||
sign_in users(:family_member)
|
||||
|
||||
get import_upload_url(@import)
|
||||
|
||||
assert_response :success
|
||||
assert_match "Checking Account", response.body,
|
||||
"Expected the shared account to appear in the account select"
|
||||
refute_match "Collectable Account", response.body,
|
||||
"Account select must not leak unshared assets to a non-owner family member"
|
||||
refute_match "IOU (personal debt to friend)", response.body,
|
||||
"Account select must not leak unshared liabilities to a non-owner family member"
|
||||
refute_match "Plaid Depository Account", response.body,
|
||||
"Account select must not leak unshared connected accounts to a non-owner family member"
|
||||
end
|
||||
|
||||
test "invalid csv cannot be uploaded" do
|
||||
patch import_upload_url(@import), params: {
|
||||
import: {
|
||||
|
||||
Reference in New Issue
Block a user