mirror of
https://github.com/we-promise/sure.git
synced 2026-05-31 16:29:03 +00:00
65d8129cf2
Addresses PR #2046 review (superagent P1, Codex P2, jjmata): - IDOR (P1): a statement could reference another plan's pension_source via a crafted pension_source_id, leaking the source name + points history. Goal::RetirementStatement now validates the source belongs to the same plan. - Adjustment cap was bypassable: the limit lived only on Goal::Retirement (parent validations don't run on child saves), so the CRUD path allowed an 11th. Goal::RetirementAdjustment now enforces it on create. - Bucket account selection (and the show-page candidate list) now filter through accounts.accessible_by(Current.user), so a private account shared away from the user can't be added via a crafted POST. - Comment clarifying the deliberate update_column in soft_replace!. Tests for the IDOR guard + the child-level cap.
20 lines
865 B
Ruby
20 lines
865 B
Ruby
class Retirement::BucketsController < ApplicationController
|
|
include RetirementScoped
|
|
|
|
# Replace-all: the form submits the full set of selected account ids.
|
|
def update
|
|
requested = Array(params.dig(:bucket, :account_ids)).reject(&:blank?)
|
|
# accessible_by, not just family-scoped: a private account shared away
|
|
# from this user must not be addable to their bucket via a crafted POST.
|
|
valid_ids = Current.family.accounts.accessible_by(Current.user).where(id: requested).pluck(:id)
|
|
|
|
@plan.transaction do
|
|
@plan.retirement_bucket_entries.where.not(account_id: valid_ids).destroy_all
|
|
existing = @plan.retirement_bucket_entries.pluck(:account_id)
|
|
(valid_ids - existing).each { |account_id| @plan.retirement_bucket_entries.create!(account_id: account_id) }
|
|
end
|
|
|
|
redirect_to retirement_path, notice: t(".updated")
|
|
end
|
|
end
|