fix(goals): validate color format + restore cascade on drop migration

- Add hex-format validation on Goal#color so submissions can't smuggle arbitrary CSS into the style attribute on the avatar / picker preview. The picker accepts custom hexes, so format validation (not inclusion) is the right shape — anything not matching #RRGGBB is rejected at the model boundary. - Fix the on_delete in the down block of drop_goal_contributions to match the original cascade. Restoring with restrict was a schema drift that would have shifted referential behavior after a rollback.
2026-06-01 08:49:01 +00:00 · 2026-05-18 20:57:22 +02:00
parent 30c2638fd0
commit fb36ac319a
2 changed files with 2 additions and 1 deletions
--- a/app/models/goal.rb
+++ b/app/models/goal.rb
@@ -5,6 +5,7 @@ class Goal < ApplicationRecord
  ICONS = Category.icon_codes

  validates :icon, inclusion: { in: ICONS, allow_nil: true }
+  validates :color, format: { with: /\A#[0-9A-Fa-f]{6}\z/ }, allow_nil: true

  belongs_to :family
  has_many :goal_accounts, dependent: :destroy
--- a/db/migrate/20260514120001_drop_goal_contributions.rb
+++ b/db/migrate/20260514120001_drop_goal_contributions.rb
@@ -6,7 +6,7 @@ class DropGoalContributions < ActiveRecord::Migration[7.2]
  def down
    create_table :goal_contributions, id: :uuid do |t|
      t.references :goal, null: false, foreign_key: { on_delete: :cascade }, type: :uuid
-      t.references :account, null: false, foreign_key: { on_delete: :restrict }, type: :uuid
+      t.references :account, null: false, foreign_key: { on_delete: :cascade }, type: :uuid
      t.decimal :amount, precision: 19, scale: 4, null: false
      t.string :currency, null: false
      t.string :source, default: "manual", null: false