sure/app/controllers/account_sharings_controller.rb

class AccountSharingsController < ApplicationController
  before_action :set_account

  def show
    @family_members = Current.family.users.where.not(id: @account.owner_id).where(active: true)
    @account_shares = @account.account_shares.includes(:user).index_by(&:user_id)
  end

  def update
    # Non-owners can update their own include_in_finances preference
    if !@account.owned_by?(Current.user) && params[:update_finance_inclusion].present?
      share = @account.account_shares.find_by!(user: Current.user)
      include_value = params.permit(:include_in_finances)[:include_in_finances]
      share.update!(include_in_finances: ActiveModel::Type::Boolean.new.cast(include_value))
      redirect_back_or_to account_path(@account), notice: t("account_sharings.update.finance_toggle_success")
      return
    end

    unless @account.owned_by?(Current.user)
      redirect_to account_path(@account), alert: t("account_sharings.update.not_owner")
      return
    end

    eligible_members = Current.family.users.where.not(id: @account.owner_id).where(active: true)

    AccountShare.transaction do
      sharing_members_params.each do |member_params|
        user = eligible_members.find_by(id: member_params[:user_id])
        next unless user

        share = @account.account_shares.find_by(user: user)

        if ActiveModel::Type::Boolean.new.cast(member_params[:shared])
          permission = AccountShare::PERMISSIONS.include?(member_params[:permission]) ? member_params[:permission] : (share&.permission || "read_only")
          if share
            share.update!(permission: permission)
          else
            @account.account_shares.create!(user: user, permission: permission, include_in_finances: true)
          end
        elsif share
          share.destroy!
        end
      end
    end

    redirect_back_or_to accounts_path, notice: t("account_sharings.update.success")
  end

  private

    def set_account
      @account = Current.user.accessible_accounts.find(params[:account_id])
    end

    def sharing_members_params
      return [] unless params.dig(:sharing, :members)

      params.require(:sharing).permit(
        members: [ :user_id, :shared, :permission ]
      )[:members]&.values || []
    end
end