QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-05-30 15:59:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
65d8129cf297c3c0eff7c52493f65c601d3a7bde
sure/test
History
Guillem Arias 65d8129cf2 fix(retirement): review fixes — IDOR, adjustment cap, bucket access 
Addresses PR #2046 review (superagent P1, Codex P2, jjmata):

- IDOR (P1): a statement could reference another plan's pension_source
  via a crafted pension_source_id, leaking the source name + points
  history. Goal::RetirementStatement now validates the source belongs
  to the same plan.
- Adjustment cap was bypassable: the limit lived only on Goal::Retirement
  (parent validations don't run on child saves), so the CRUD path allowed
  an 11th. Goal::RetirementAdjustment now enforces it on create.
- Bucket account selection (and the show-page candidate list) now filter
  through accounts.accessible_by(Current.user), so a private account
  shared away from the user can't be added via a crafted POST.
- Comment clarifying the deliberate update_column in soft_replace!.

Tests for the IDOR guard + the child-level cap.
2026-05-30 09:39:31 +02:00
..
channels/application_cable
Initial commit
2024-02-02 09:05:04 -06:00
components
fix(design-system): DS::Menu add :icon_sm variant for dense action lists (#1930)
2026-05-23 09:18:16 +02:00
controllers
feat(retirement): PR2 CRUD for sources, statements, adjustments, bucket
2026-05-29 10:49:18 +02:00
data_migrations
Additional cache columns on balances for activity view breakdowns (#2505)
2025-07-23 10:06:25 -04:00
fixtures
feat(retirement): PR2 data models — pension sources, statements, bucket
2026-05-29 10:36:18 +02:00
helpers
feat(imports): verify Sure NDJSON import readback (#1869)
2026-05-20 21:35:22 +02:00
integration
fix(a11y): add skip-link and aria-current="page" to application layout (#1781)
2026-05-14 21:53:31 +02:00
interfaces
fix: currency being ignored for properties (#1556)
2026-04-29 13:47:32 +02:00
javascript
feat(dashboard): zoom into cashflow sankey categories (#1807)
2026-05-20 21:17:35 +02:00
jobs
Merge origin/main into feat/goals-v2-architecture
2026-05-20 21:41:47 +02:00
lib
feat(i18n): complete Catalan translations + extract residual hardcoded strings (#1836)
2026-05-19 13:37:10 +02:00
mailers
Add scheduled DemoFamilyRefreshJob to rebuild demo data daily (#1217)
2026-03-17 19:41:26 +01:00
migrations
Add Plaid migration constant alias (#1235)
2026-03-21 01:03:19 +01:00
models
fix(retirement): review fixes — IDOR, adjustment cap, bucket access
2026-05-30 09:39:31 +02:00
policies
refactor: improve SSO provider management and logging
2026-01-03 21:13:24 -05:00
services
Simplefin enhancements v2 (#267)
2025-11-17 21:51:37 +01:00
support
feat: Add LLM prompt for API endpoint consistency (#949)
2026-02-10 23:36:25 +01:00
system
feat(design-system): split DS::Menu into strict action-list + new DS::Popover (#1850)
2026-05-20 18:30:25 +02:00
vcr_cassettes
More rebranding changes (#159)
2025-09-24 00:19:51 +02:00
views
fix(a11y): add skip-link and aria-current="page" to application layout (#1781)
2026-05-14 21:53:31 +02:00
api_endpoint_consistency_rule_test.rb
feat: Add LLM prompt for API endpoint consistency (#949)
2026-02-10 23:36:25 +01:00
application_system_test_case.rb
Add Actual Budget CSV import flow (#1830)
2026-05-18 18:38:53 +02:00
encryption_verification_test.rb
Initial security fixes (#461)
2026-01-23 22:05:28 +01:00
i18n_test.rb
New Design System + Codebase Refresh (#1823)
2025-02-21 11:57:59 -05:00
test_helper.rb
feat(retirement): PR2 data models — pension sources, statements, bucket
2026-05-29 10:36:18 +02:00